This is one of those things that make me go "...hmmm". I learned a little more about it from this video though. During my sysadmin days (thank GOD I'm retired from that now!) I had guys in the shop who literally wore out their USB drives and laptop USB ports from constant plugging and unplugging, so that they became unusable. In addition to the fear of losing your YubiKey, I always worried about the eventuality of the key simply failing from use. But having the fail-safes of one-time codes and multiple 2FA backups does allay those fears though. I agree on the topic of using it for case of needing ultimate security, it wouldn't get any better than that. Great overview!
I’m a sys admin and we will be enforcing 2FA for all our users. A contract for security keys will be signed and we’ll be supplied with the amount we need plus backups. If a user loses their key it’s no problem our administrators will reset their 2FA and allow them to set up a new one.
The USB port on my phone has worn out. Besides, I wouldn't want to plug anything in there anyway. A Yubikey is just another roadblock to slow honest users down while having little to no effect on hackers. We should just stop treating all these scammers like their scams have any credibility. Let's start by getting local governments to stop stores from importing and selling Yubikeys to protect people from themselves and business greed.
Thank you Leo for this very helpful video. You are the only one out of all the privacy and security RUclipsrs who addresses the question of using the Yubikey along with other 2FA. For example, Facebook offers 2FA by Authentication app, SMS and Security Key. And once I had set up my security keys in my Facebook account I was left wondering if I should turn off the other options to maximize security but I could not find an answer anywhere. Although you mention that there is only a very small incremental security risk by having other 2FA options turned on, Ive always wondered what is the point of having Yubikeys if the other 2FA options are turned on (considering the cost of buying a Yubikey). But now Ive understood from your video that only for my most sensitive accounts should I set the Yubikeys as my only 2FA option and for other less sensitive accounts it is okay to have some other 2FA options turned on (although I try to avoid 2FA by SMS whenever possible).
I would have liked to see much more detail about how these devices work. For example: the YubiKey types out a different string each time, so how does an online account verify that the new string it's never seen before is correct? Does it have to query a server a YubiKey at authentication time? If so, what does that query look like? Was some secret (like a public key) shared at the time of initial setup? If the YubiKey servers are ever compromised, would that compromise my accounts? Not that 2 factor services like YubiKey or, say.....Okta (ahem) are ever compromised... These are important details.
Why are you so worried about having passwords compromised on the one hand and then also completely not worried about having so many additional factors that having any of them compromised and used to lock you out? That's called double standards.
Can it be cloned like SIM Card cloning? I mean it has USB like structure which I think can be accessed when used in a proper software to view the data?!
They are engineered to be very difficult to clone. In addition, there's a counter incremented with each use. If a cloned Yubikey is attempted to be used, the counter will be compared. If there isn't a proper match, the key will be invalidated.
Timestamps is a part of the validation so a copy will have a different timestamp and it will not be working. There is a chip inside, that cant be accessed. It is like a secure enclave.@@neuideas
If you let several 2FA possibilities open ( Yubikey, google authenticater, text, email) then an hacker can choose which one he want to hack. The hacker has different option as well. He doesn’t need a Yubikey. He can choose an easier one as text or email. Or do I miss something?
Hi, how to you check a yubikey right out of the box? I received one in the post but the packaging was damaged ! I wondered if there is a check that can be run on it to make sure it’s not been tampered with or should I just throw it away ? Or is there a way to reset it ?
They don't work with Google, and most banks don't support them either. For the most part they are a waste of money. Even for a Windows login, you can just bypass it by entering the correct PIN.
@@richstilke1227 My YubiKey works quite well with Google. I don't consider it a waste at all. (Yes, you do have to ensure that you haven't set up alternate mechanisms if you want the YubiKey to be the ONLY way to ID. You can turn off the PIN if you like.)
My question would be if you use multiple 2FA methods, isn't your security only as strong as the weakest link (2FA). So really how does this security key going to protect you in the case of multiple 2FA
@@Our1stPlanet Impression I had was that they were for backups. I.e., you use the strongest 2FA (Yubi) until you _have_ to use one of the others because you lost or damaged your key
Only if they ALSO know your password. As soon as you notice your YubiKey is missing, sign in to your account (using a backup method also set up when you configured the YubiKey), and then remove the YubiKey from your account.
How does a Yubi key work if I don't have physical access to the machine that is accessing the account? For example, I am running on a Azure virtual machine. Can I remotely access the key?
Can we just quit using passwords altogether and submit a dna test instead? Because I am old and getting older and I am out of guesses as to what my current password is!
I would advise anyone using SMS as 2FA to activate mobile PIN lock - this is associated with your mobile phone number, so in the event your SIM is swapped, the bad actor cannot access your SMS messages as they would need the SIM PIN to unlock the fraudulent SIM on their device.
With SIM swapping they don't actually take the SIM from your phone, they just get your phone company to send a new sim for your account to them. SIM pins only lock the sim card you have in your phone, they don't have any effect on the new SIM your phone company sends to the perp.
@killer2600 - I'm aware they can't physically take the SIM from a phone in a SIM swap- however, as I said, the SIM PIN is associated with your phone number so they cannot use the fraudulent SIM to access your phone details on their device, as they will require a PIN. (I have a SIM PIN lock and everytime I switch my phone off and on again, I need to type my SIM PIN to get back into my phone- (it would be the same for a bad actor who swaps a SIM as the mobile number is migrated to the fraudulent SIM).
You can buy a lighting and or NFC versions. But Yubikey is limited on what you can use its for 2FA, its only my emails and password manager that I can use it for. IE not every website that has 2FA lets you use Yubikeys.
Not exactly. There are techniques that require you have a specific file that can eb stored on a thumbdrive, but it's not at all the same as what a YubiKey does.
@@askleonotenboom OK, for me it's to expensive to buy one 60£ is not cheap and a good usb drive I can get from SanDisk for 20£ or even cheaper,depebd how much GB it needs. 🤔
Yubikeys look like usb thumb/flash drives but they are not nor will they appear as a drive when you plug them into your computer. They are more like smart cards, the kind you may have seen on your credit/debit card albeit you can't plug your credit/debit card into a usb port.
yubi key is far easier to understand than the passkey 😂 simply because it has physical key (kind of thing) associated with it. also you can just leave it at home in your vault and is the best kind of physical thing you can pass to someone in a cool way. just imagine you die and your lawyer pay a visit to your family to tell them your last will and testament and in the process they gave them your Yubikey 😂😂😂😂
I don't understand what I am supposed to imagine. Please explain. Okay, first my lawyer visits my family, then which is "them" and which is "they?" Are you saying my lawyer had the key and gave it to my family; or are you saying my family had the key and gave it to my lawyer? And why? The speaker in the video didn't say anything about all the passwords - where are they stored? Are you saying they are in the key? Or are you saying that with the key the family won't need the passwords? And is your scenario going to cause an argument amongst family members as to who gets the key? Or gets what? I thought the key only did 2FA not passwords.
If I have two Yubikey's, recovery codes and the authenticator app, is it wise to remove the rest of the authentication methods like email and phone number verification? Also, in theory, if a hacker would simswapps my phone number, could he or she change all the other authentication methods in my Google account and make the first methods I mentioned useless??
If you are confident in your recovery methods, it is not unwise to remove weak authentication methods like SMS and poorly secured e-mail (whether it's on the users or e-mail services end).
My issue is Yubico your review is not showing the full picture. It takes 2 weeks to have them delivered and if there is an issue then the buyer has to pay for return postage and also their customer service is very slow and on occasions I have had to write to them more than one to even get a reply!!!
For YOTP (Yubico One-Time Password) you don't have to enter a password. And why not just a FIDO security key? Because FIDO doesn't work across interfaces/connections that only permit keyboard character entries. That's where TOTP still shines and where YOTP was a hardware token game changer - with either OTP method one can implement 2FA in any interface that takes ascii keyboard characters.
What are the weaknesses of YubiKeys? If you have a backup key, you obviously can't keep both keys on the same keyring. Suppose one of the YubiKeys is on a keyring and you loose your keyring with all of your keys. Will the finder of your YubiKey have access to all of your accounts? Suppose it gets stolen. What then? Do you rush home, find your backup YubiKey and remove the YubiKey from all of your accounts? If you have a backup YubiKey in a secret place, do you have to always be concerned that someone may find your YubiKey and access all of your accounts? These are things we need to know. What are standard practices to avoid trouble?
I am completely lost on how this method is not seriously more insecure. The problem with a lost key is not how you would get in !!! its how to prevent the new owner from entering you account !!! Most current 2FA are not 2 factor but 3 factor. Eg. you need to 1. know the password, 2. you need to have the phone & 3. you need to be able to unlock the phone (fingerprint/face/pin). What am I missing ?
I'm not sure where you're getting "more insecure". Hardware keys are more secure. Most current 2FA are two factor, even if you have to unlock your phone. 1) What you know (your password, AND your phone PIN), 2) What you have (your authenticator app). It can be seen as three factor if your phone unlocks with fingerprint or face ID (what you are).
So you are accepting that a person who steals the key and guesses the password can access your account. With the phone, they would need your fingerprint or face as well (the '3rd' factor) And stealing this HW key will be much easier, since: 1. People will leave/forget it plugged into their computer out of laziness or convenience. 2. The nano keys do not have a key hole, so no way to 'tie' them with your car/house keys for protection. How is that not more insecure ?
@@TheSolderingGuy007Those all seem like very low probability and easily avoidable events. (And remember, NO solution is 100% secure. No such thing.) More commonly people fall for phishing attempts, which can include catching 2FA codes from a phone in real time. A hardware key is impossible to phish - you need actual, physical, possession.
There are 3 factors of authentication of identity: 1) Something you know e.g. password. 2) Something you have e.g. phone. 3) Something you are e.g. Fingerprint. Being able to unlock your phone with a pin/password makes it only 2 factor not 3. A password + a device + another password is still only needing to know your passwords and have your device which is 2 factors out of the 3. The risk of losing a Yubikey is lower than risk of your always-connected phone getting hacked with a zero-day exploit. Because of the convenience more people are exposed to internet-based hacking and over the phone/email scams everyday than they are to in-person theft. So physical items not connected to the internet are inherently more secure from those that we are most at risk to everyday. As for accidently losing a yubikey, it's a 2FA device which means it's one part of an authentication that requires two parts. The "new owner" would only have one part and wouldn't be able to log in presuming they would even know what accounts are associated with their new found key. TL;DR: Physical/offline security is vastly better than anything you do with your always connected to the world wide web smartphone. Even the best hackers in the world are foiled against a paper document laying on top of my desk - just can't quite make that last connection.
![KSI - Thick Of It (feat. Trippie Redd) [Official Lyric Video]](http://i.ytimg.com/vi/tXEPbotEjZE/mqdefault.jpg)
This is one of those things that make me go "...hmmm". I learned a little more about it from this video though. During my sysadmin days (thank GOD I'm retired from that now!) I had guys in the shop who literally wore out their USB drives and laptop USB ports from constant plugging and unplugging, so that they became unusable. In addition to the fear of losing your YubiKey, I always worried about the eventuality of the key simply failing from use. But having the fail-safes of one-time codes and multiple 2FA backups does allay those fears though. I agree on the topic of using it for case of needing ultimate security, it wouldn't get any better than that. Great overview!
some of these keys can also use NFC. i also worried about the same
I’m a sys admin and we will be enforcing 2FA for all our users. A contract for security keys will be signed and we’ll be supplied with the amount we need plus backups. If a user loses their key it’s no problem our administrators will reset their 2FA and allow them to set up a new one.
Un phones you got nfc or buy one for laptop or just a dongle for your usb so the replasable external is the one to wearout
The USB port on my phone has worn out. Besides, I wouldn't want to plug anything in there anyway.
A Yubikey is just another roadblock to slow honest users down while having little to no effect on hackers.
We should just stop treating all these scammers like their scams have any credibility.
Let's start by getting local governments to stop stores from importing and selling Yubikeys to protect people from themselves and business greed.
Thank you Leo for this very helpful video. You are the only one out of all the privacy and security RUclipsrs who addresses the question of using the Yubikey along with other 2FA. For example, Facebook offers 2FA by Authentication app, SMS and Security Key. And once I had set up my security keys in my Facebook account I was left wondering if I should turn off the other options to maximize security but I could not find an answer anywhere.
Although you mention that there is only a very small incremental security risk by having other 2FA options turned on, Ive always wondered what is the point of having Yubikeys if the other 2FA options are turned on (considering the cost of buying a Yubikey). But now Ive understood from your video that only for my most sensitive accounts should I set the Yubikeys as my only 2FA option and for other less sensitive accounts it is okay to have some other 2FA options turned on (although I try to avoid 2FA by SMS whenever possible).
Thank you for talking normal instead of fast. I can understand you which is new!!! 4:29
Lol, lots of people do talk too fast in these sorts of video don't they?
I just had to do it myself, got my yubikey and damn it printed that string!! This was exciting!
I would have liked to see much more detail about how these devices work. For example: the YubiKey types out a different string each time, so how does an online account verify that the new string it's never seen before is correct? Does it have to query a server a YubiKey at authentication time? If so, what does that query look like? Was some secret (like a public key) shared at the time of initial setup? If the YubiKey servers are ever compromised, would that compromise my accounts? Not that 2 factor services like YubiKey or, say.....Okta (ahem) are ever compromised... These are important details.
This was the very best explanation regarding this form of security. Thank you very much. Peter
Very well explained! Thank very much.
Why are you so worried about having passwords compromised on the one hand and then also completely not worried about having so many additional factors that having any of them compromised and used to lock you out? That's called double standards.
Can it be cloned like SIM Card cloning? I mean it has USB like structure which I think can be accessed when used in a proper software to view the data?!
not possible.
They are engineered to be very difficult to clone. In addition, there's a counter incremented with each use. If a cloned Yubikey is attempted to be used, the counter will be compared. If there isn't a proper match, the key will be invalidated.
@@neuideas enforcing the hardware counter is not a hard rule in the specifications. it's up to each provider of the service to decide
Timestamps is a part of the validation so a copy will have a different timestamp and it will not be working. There is a chip inside, that cant be accessed. It is like a secure enclave.@@neuideas
If you let several 2FA possibilities open ( Yubikey, google authenticater, text, email) then an hacker can choose which one he want to hack. The hacker has different option as well. He doesn’t need a Yubikey. He can choose an easier one as text or email. Or do I miss something?
Ideally yes, that is why it is better to combine two factors, i.e something you know+something you have
I think you forgot to explain the part about 'how the Yubikey works.'
Great video Leo. Keep it up brother.
Hi, how to you check a yubikey right out of the box? I received one in the post but the packaging was damaged ! I wondered if there is a check that can be run on it to make sure it’s not been tampered with or should I just throw it away ?
Or is there a way to reset it ?
It's not resetable, but I'd reach out to Yubico (the manufacturer) and see if they have any advice.
They don't work with Google, and most banks don't support them either. For the most part they are a waste of money. Even for a Windows login, you can just bypass it by entering the correct PIN.
@@richstilke1227 My YubiKey works quite well with Google. I don't consider it a waste at all. (Yes, you do have to ensure that you haven't set up alternate mechanisms if you want the YubiKey to be the ONLY way to ID. You can turn off the PIN if you like.)
Thanks for this very clear explanation !
Excellent video!
My question would be if you use multiple 2FA methods, isn't your security only as strong as the weakest link (2FA). So really how does this security key going to protect you in the case of multiple 2FA
Doesn't make sense to have Yubi and leaving email or SMS 2FA on
Please correct me if im wrong,
Other methods are only compromised when they are being used.
@@Our1stPlanet Impression I had was that they were for backups. I.e., you use the strongest 2FA (Yubi) until you _have_ to use one of the others because you lost or damaged your key
So what if someone notices you have a yubikey on yoir keyring, steals it then knows where you have your laptop? You're screwed, right?
Only if they ALSO know your password. As soon as you notice your YubiKey is missing, sign in to your account (using a backup method also set up when you configured the YubiKey), and then remove the YubiKey from your account.
How does a Yubi key work if I don't have physical access to the machine that is accessing the account? For example, I am running on a Azure virtual machine. Can I remotely access the key?
Typically, no.
Thanks, Leo~
Can we just quit using passwords altogether and submit a dna test instead? Because I am old and getting older and I am out of guesses as to what my current password is!
is it immune to browser hijacking
I would advise anyone using SMS as 2FA to activate mobile PIN lock - this is associated with your mobile phone number, so in the event your SIM is swapped, the bad actor cannot access your SMS messages as they would need the SIM PIN to unlock the fraudulent SIM on their device.
With SIM swapping they don't actually take the SIM from your phone, they just get your phone company to send a new sim for your account to them. SIM pins only lock the sim card you have in your phone, they don't have any effect on the new SIM your phone company sends to the perp.
@killer2600 - I'm aware they can't physically take the SIM from a phone in a SIM swap- however, as I said, the SIM PIN is associated with your phone number so they cannot use the fraudulent SIM to access your phone details on their device, as they will require a PIN. (I have a SIM PIN lock and everytime I switch my phone off and on again, I need to type my SIM PIN to get back into my phone- (it would be the same for a bad actor who swaps a SIM as the mobile number is migrated to the fraudulent SIM).
@@Summerbunny15 SIM PIN stops your SIM being used in another deivice. SIM swap is when the criminals obtain a clone of your SIM
How would you use this on an iPad or iPhone where you do not have usb.
You can buy a lighting and or NFC versions. But Yubikey is limited on what you can use its for 2FA, its only my emails and password manager that I can use it for. IE not every website that has 2FA lets you use Yubikeys.
They have NFC
Thanks
Any MFA is better than no MFA, but all MFA are not equal. Cell and email should be skipped all together.
Is it not possible to make from a normal USB stick or nvme storage a key like the yubikey ? 🤔
Not exactly. There are techniques that require you have a specific file that can eb stored on a thumbdrive, but it's not at all the same as what a YubiKey does.
@@askleonotenboom OK, for me it's to expensive to buy one 60£ is not cheap and a good usb drive I can get from SanDisk for 20£ or even cheaper,depebd how much GB it needs. 🤔
@@WaschyNumber1Its not about GB, its about how its built: the encryption and tamperproof.
Yubikeys look like usb thumb/flash drives but they are not nor will they appear as a drive when you plug them into your computer. They are more like smart cards, the kind you may have seen on your credit/debit card albeit you can't plug your credit/debit card into a usb port.
yubi key is far easier to understand than the passkey 😂 simply because it has physical key (kind of thing) associated with it.
also you can just leave it at home in your vault and is the best kind of physical thing you can pass to someone in a cool way. just imagine you die and your lawyer pay a visit to your family to tell them your last will and testament and in the process they gave them your Yubikey 😂😂😂😂
I don't understand what I am supposed to imagine. Please explain. Okay, first my lawyer visits my family, then which is "them" and which is "they?" Are you saying my lawyer had the key and gave it to my family; or are you saying my family had the key and gave it to my lawyer? And why? The speaker in the video didn't say anything about all the passwords - where are they stored? Are you saying they are in the key? Or are you saying that with the key the family won't need the passwords? And is your scenario going to cause an argument amongst family members as to who gets the key? Or gets what? I thought the key only did 2FA not passwords.
If I have two Yubikey's, recovery codes and the authenticator app, is it wise to remove the rest of the authentication methods like email and phone number verification?
Also, in theory, if a hacker would simswapps my phone number, could he or she change all the other authentication methods in my Google account and make the first methods I mentioned useless??
If you are confident in your recovery methods, it is not unwise to remove weak authentication methods like SMS and poorly secured e-mail (whether it's on the users or e-mail services end).
@@killer2600 Right, thanks!
My issue is Yubico your review is not showing the full picture. It takes 2 weeks to have them delivered and if there is an issue then the buyer has to pay for return postage and also their customer service is very slow and on occasions I have had to write to them more than one to even get a reply!!!
Why YubiKey? Why not Fido Security Key? - BTW, pressing the key is not sufficient. You have to enter a password for the key.
You may not have to enter a password for the key. (At least I don't). And YubiKey is just my example. There are other secure keys out there.
For YOTP (Yubico One-Time Password) you don't have to enter a password. And why not just a FIDO security key? Because FIDO doesn't work across interfaces/connections that only permit keyboard character entries. That's where TOTP still shines and where YOTP was a hardware token game changer - with either OTP method one can implement 2FA in any interface that takes ascii keyboard characters.
Yuubikey 5 series is Fido compatible
Yubikeys are in different types...
What are the weaknesses of YubiKeys? If you have a backup key, you obviously can't keep both keys on the same keyring. Suppose one of the YubiKeys is on a keyring and you loose your keyring with all of your keys. Will the finder of your YubiKey have access to all of your accounts? Suppose it gets stolen. What then? Do you rush home, find your backup YubiKey and remove the YubiKey from all of your accounts? If you have a backup YubiKey in a secret place, do you have to always be concerned that someone may find your YubiKey and access all of your accounts?
These are things we need to know. What are standard practices to avoid trouble?
Spare key to a borrowed summer home is around my neck in that last 20 years. My youbi key same or medical tape to my chest .
I prefer google’s titan key.
I am completely lost on how this method is not seriously more insecure.
The problem with a lost key is not how you would get in !!! its how to prevent the new owner from entering you account !!!
Most current 2FA are not 2 factor but 3 factor. Eg. you need to 1. know the password, 2. you need to have the phone & 3. you need to be able to unlock the phone (fingerprint/face/pin).
What am I missing ?
I'm not sure where you're getting "more insecure". Hardware keys are more secure. Most current 2FA are two factor, even if you have to unlock your phone. 1) What you know (your password, AND your phone PIN), 2) What you have (your authenticator app). It can be seen as three factor if your phone unlocks with fingerprint or face ID (what you are).
So you are accepting that a person who steals the key and guesses the password can access your account.
With the phone, they would need your fingerprint or face as well (the '3rd' factor)
And stealing this HW key will be much easier, since:
1. People will leave/forget it plugged into their computer out of laziness or convenience.
2. The nano keys do not have a key hole, so no way to 'tie' them with your car/house keys for protection.
How is that not more insecure ?
@@TheSolderingGuy007Those all seem like very low probability and easily avoidable events. (And remember, NO solution is 100% secure. No such thing.) More commonly people fall for phishing attempts, which can include catching 2FA codes from a phone in real time. A hardware key is impossible to phish - you need actual, physical, possession.
@@askleonotenboom not convincing. but thanks for trying.
There are 3 factors of authentication of identity: 1) Something you know e.g. password. 2) Something you have e.g. phone. 3) Something you are e.g. Fingerprint.
Being able to unlock your phone with a pin/password makes it only 2 factor not 3. A password + a device + another password is still only needing to know your passwords and have your device which is 2 factors out of the 3.
The risk of losing a Yubikey is lower than risk of your always-connected phone getting hacked with a zero-day exploit. Because of the convenience more people are exposed to internet-based hacking and over the phone/email scams everyday than they are to in-person theft. So physical items not connected to the internet are inherently more secure from those that we are most at risk to everyday. As for accidently losing a yubikey, it's a 2FA device which means it's one part of an authentication that requires two parts. The "new owner" would only have one part and wouldn't be able to log in presuming they would even know what accounts are associated with their new found key.
TL;DR: Physical/offline security is vastly better than anything you do with your always connected to the world wide web smartphone. Even the best hackers in the world are foiled against a paper document laying on top of my desk - just can't quite make that last connection.
2.5 min in and you're just repeating what a yubikey is ffs get to the point
So someone can come along, touch your Yubikey & it'll work anyway....yeah, really secure.
If they have physical access, that's your mishandling, not theirs.
Would you give someone your house key?