How Does a Hardware Security Key Like YubiKey Work?

Поделиться
HTML-код
  • Опубликовано: 23 ноя 2024

Комментарии • 99

  • @graytonw5238
    @graytonw5238 Год назад +22

    This is one of those things that make me go "...hmmm". I learned a little more about it from this video though. During my sysadmin days (thank GOD I'm retired from that now!) I had guys in the shop who literally wore out their USB drives and laptop USB ports from constant plugging and unplugging, so that they became unusable. In addition to the fear of losing your YubiKey, I always worried about the eventuality of the key simply failing from use. But having the fail-safes of one-time codes and multiple 2FA backups does allay those fears though. I agree on the topic of using it for case of needing ultimate security, it wouldn't get any better than that. Great overview!

    • @xybersurfer
      @xybersurfer Год назад +3

      some of these keys can also use NFC. i also worried about the same

    • @portman8909
      @portman8909 9 месяцев назад +1

      I’m a sys admin and we will be enforcing 2FA for all our users. A contract for security keys will be signed and we’ll be supplied with the amount we need plus backups. If a user loses their key it’s no problem our administrators will reset their 2FA and allow them to set up a new one.

    • @chingatumadregoogle1344
      @chingatumadregoogle1344 6 месяцев назад

      Un phones you got nfc or buy one for laptop or just a dongle for your usb so the replasable external is the one to wearout

    • @StijnHommes
      @StijnHommes 3 месяца назад

      The USB port on my phone has worn out. Besides, I wouldn't want to plug anything in there anyway.
      A Yubikey is just another roadblock to slow honest users down while having little to no effect on hackers.
      We should just stop treating all these scammers like their scams have any credibility.
      Let's start by getting local governments to stop stores from importing and selling Yubikeys to protect people from themselves and business greed.

  • @AC-bw9tw
    @AC-bw9tw 7 месяцев назад +4

    Thank you for talking normal instead of fast. I can understand you which is new!!! 4:29

    • @kevinmcfarlane2752
      @kevinmcfarlane2752 5 месяцев назад +1

      Lol, lots of people do talk too fast in these sorts of video don't they?

    • @millanferende6723
      @millanferende6723 Месяц назад

      @@kevinmcfarlane2752 Yeah, or incredibly slowly. His pace is just right, and it is very clear.

  • @TuulaMaaria
    @TuulaMaaria Месяц назад +1

    RUclipsrs whose main income comes from RUclips now seem to get suggested to only use multiple hardware security keys as authentification, with so many accounts getting hacked. I haven’t done that yet but will very soon.

    • @attemptive
      @attemptive 5 дней назад

      i’m going to hack you

  • @JadeSambrook
    @JadeSambrook Год назад +8

    Thank you Leo for this very helpful video. You are the only one out of all the privacy and security RUclipsrs who addresses the question of using the Yubikey along with other 2FA. For example, Facebook offers 2FA by Authentication app, SMS and Security Key. And once I had set up my security keys in my Facebook account I was left wondering if I should turn off the other options to maximize security but I could not find an answer anywhere.
    Although you mention that there is only a very small incremental security risk by having other 2FA options turned on, Ive always wondered what is the point of having Yubikeys if the other 2FA options are turned on (considering the cost of buying a Yubikey). But now Ive understood from your video that only for my most sensitive accounts should I set the Yubikeys as my only 2FA option and for other less sensitive accounts it is okay to have some other 2FA options turned on (although I try to avoid 2FA by SMS whenever possible).

    • @millanferende6723
      @millanferende6723 Месяц назад

      Yes or, to secure your accounts, incase you for example lose your phone or access to your Google authenticator. It is also good to have your main accounts (Gmail, social media, etc) backed up on Yubikey. This is what I am going to do.

  • @petermarshall5450
    @petermarshall5450 10 месяцев назад +3

    This was the very best explanation regarding this form of security. Thank you very much. Peter

  • @abhijeetduttPandey
    @abhijeetduttPandey Месяц назад +2

    I think you forgot to explain the part about 'how the Yubikey works.'

  • @dgriffin6074
    @dgriffin6074 Месяц назад

    Thank you. This is one of the best videos I have seen about the Yubikey.

  • @bobsansmal
    @bobsansmal 5 месяцев назад +1

    I would have liked to see much more detail about how these devices work. For example: the YubiKey types out a different string each time, so how does an online account verify that the new string it's never seen before is correct? Does it have to query a server a YubiKey at authentication time? If so, what does that query look like? Was some secret (like a public key) shared at the time of initial setup? If the YubiKey servers are ever compromised, would that compromise my accounts? Not that 2 factor services like YubiKey or, say.....Okta (ahem) are ever compromised... These are important details.

  • @vatsaakhil
    @vatsaakhil 2 месяца назад

    I just had to do it myself, got my yubikey and damn it printed that string!! This was exciting!

  • @StijnHommes
    @StijnHommes 3 месяца назад +1

    Why are you so worried about having passwords compromised on the one hand and then also completely not worried about having so many additional factors that having any of them compromised and used to lock you out? That's called double standards.

  • @NativeVsColonial
    @NativeVsColonial Год назад +6

    Can it be cloned like SIM Card cloning? I mean it has USB like structure which I think can be accessed when used in a proper software to view the data?!

    • @john-cv9dy
      @john-cv9dy Год назад +3

      not possible.

    • @neuideas
      @neuideas Год назад +4

      They are engineered to be very difficult to clone. In addition, there's a counter incremented with each use. If a cloned Yubikey is attempted to be used, the counter will be compared. If there isn't a proper match, the key will be invalidated.

    • @xybersurfer
      @xybersurfer Год назад +2

      @@neuideas enforcing the hardware counter is not a hard rule in the specifications. it's up to each provider of the service to decide

    • @FrankStjerne
      @FrankStjerne 10 месяцев назад

      Timestamps is a part of the validation so a copy will have a different timestamp and it will not be working. There is a chip inside, that cant be accessed. It is like a secure enclave.@@neuideas

  • @pokeba6408
    @pokeba6408 10 месяцев назад +4

    Very well explained! Thank very much.

  • @steve_main
    @steve_main Месяц назад

    7:00 Okay stupid question here.. If you have this super strong auth key and then you create a back door of 10 one-time use codes have you not reduced the security of the MFA to a single 10 chr password? Not only that you have 10 of them! So now it's not a needle in a haystack it's 10 needles in a haystak. Also pople accessing these keys will know it's letters and nubmers all lower case and only 10 chrs which even more reduces the guesses needed. I am so perplexed by this. Can someone please explain if this is okay/secure to have 10 one-time use passwords then why not only have them and why do you need a security key?

  • @toondesmarets3033
    @toondesmarets3033 2 месяца назад +1

    If you let several 2FA possibilities open ( Yubikey, google authenticater, text, email) then an hacker can choose which one he want to hack. The hacker has different option as well. He doesn’t need a Yubikey. He can choose an easier one as text or email. Or do I miss something?

    • @vatsaakhil
      @vatsaakhil 2 месяца назад +1

      Ideally yes, that is why it is better to combine two factors, i.e something you know+something you have

  • @SlackHoffman
    @SlackHoffman Год назад +1

    Hi, how to you check a yubikey right out of the box? I received one in the post but the packaging was damaged ! I wondered if there is a check that can be run on it to make sure it’s not been tampered with or should I just throw it away ?
    Or is there a way to reset it ?

    • @askleonotenboom
      @askleonotenboom  Год назад

      It's not resetable, but I'd reach out to Yubico (the manufacturer) and see if they have any advice.

    • @richstilke1227
      @richstilke1227 Год назад

      They don't work with Google, and most banks don't support them either. For the most part they are a waste of money. Even for a Windows login, you can just bypass it by entering the correct PIN.

    • @askleonotenboom
      @askleonotenboom  Год назад +5

      @@richstilke1227 My YubiKey works quite well with Google. I don't consider it a waste at all. (Yes, you do have to ensure that you haven't set up alternate mechanisms if you want the YubiKey to be the ONLY way to ID. You can turn off the PIN if you like.)

  • @jeanma2104
    @jeanma2104 10 дней назад

    Good and clear content. Thanks

  • @skynetskynet4845
    @skynetskynet4845 3 месяца назад

    Thanks for this very clear explanation !

  • @starterplanet
    @starterplanet 2 дня назад

    How does an account know the next password it generates is correct?

    • @askleonotenboom
      @askleonotenboom  День назад

      It's a long complicated answer, but the short version is that it's using public key cryptography. They security key has one of the key pair, and the system has the other.

  • @Matt-go7ss
    @Matt-go7ss 8 месяцев назад

    So what if someone notices you have a yubikey on yoir keyring, steals it then knows where you have your laptop? You're screwed, right?

    • @askleonotenboom
      @askleonotenboom  8 месяцев назад +3

      Only if they ALSO know your password. As soon as you notice your YubiKey is missing, sign in to your account (using a backup method also set up when you configured the YubiKey), and then remove the YubiKey from your account.

  • @luckyrocks1
    @luckyrocks1 7 месяцев назад +4

    Can we just quit using passwords altogether and submit a dna test instead? Because I am old and getting older and I am out of guesses as to what my current password is!

  • @emmapeel4259
    @emmapeel4259 7 месяцев назад

    My question would be if you use multiple 2FA methods, isn't your security only as strong as the weakest link (2FA). So really how does this security key going to protect you in the case of multiple 2FA

    • @hellouser5498
      @hellouser5498 7 месяцев назад

      Doesn't make sense to have Yubi and leaving email or SMS 2FA on

    • @Our1stPlanet
      @Our1stPlanet 7 месяцев назад

      Please correct me if im wrong,
      Other methods are only compromised when they are being used.

    • @kevinmcfarlane2752
      @kevinmcfarlane2752 5 месяцев назад

      @@Our1stPlanet Impression I had was that they were for backups. I.e., you use the strongest 2FA (Yubi) until you _have_ to use one of the others because you lost or damaged your key

  • @goodluckgino
    @goodluckgino Год назад +4

    Great video Leo. Keep it up brother.

  • @jonmarcus1954
    @jonmarcus1954 6 месяцев назад

    How does a Yubi key work if I don't have physical access to the machine that is accessing the account? For example, I am running on a Azure virtual machine. Can I remotely access the key?

  • @GD15555
    @GD15555 5 месяцев назад

    is it immune to browser hijacking

  • @SuperFredAZ
    @SuperFredAZ 6 месяцев назад +1

    Excellent video!

  • @alanglassman6473
    @alanglassman6473 9 месяцев назад

    How would you use this on an iPad or iPhone where you do not have usb.

    • @darrentakesover
      @darrentakesover 8 месяцев назад

      You can buy a lighting and or NFC versions. But Yubikey is limited on what you can use its for 2FA, its only my emails and password manager that I can use it for. IE not every website that has 2FA lets you use Yubikeys.

    • @paulscussel140
      @paulscussel140 8 месяцев назад +1

      They have NFC

    • @alanglassman6473
      @alanglassman6473 8 месяцев назад

      Thanks

  • @roobscoob47
    @roobscoob47 5 месяцев назад

    Thanks, Leo~

  • @jordan9632
    @jordan9632 6 месяцев назад

    Any MFA is better than no MFA, but all MFA are not equal. Cell and email should be skipped all together.

  • @WaschyNumber1
    @WaschyNumber1 Год назад +1

    Is it not possible to make from a normal USB stick or nvme storage a key like the yubikey ? 🤔

    • @askleonotenboom
      @askleonotenboom  Год назад

      Not exactly. There are techniques that require you have a specific file that can eb stored on a thumbdrive, but it's not at all the same as what a YubiKey does.

    • @WaschyNumber1
      @WaschyNumber1 Год назад

      @@askleonotenboom OK, for me it's to expensive to buy one 60£ is not cheap and a good usb drive I can get from SanDisk for 20£ or even cheaper,depebd how much GB it needs. 🤔

    • @vishwanathnb128
      @vishwanathnb128 Год назад +1

      ​@@WaschyNumber1Its not about GB, its about how its built: the encryption and tamperproof.

    • @killer2600
      @killer2600 8 месяцев назад

      Yubikeys look like usb thumb/flash drives but they are not nor will they appear as a drive when you plug them into your computer. They are more like smart cards, the kind you may have seen on your credit/debit card albeit you can't plug your credit/debit card into a usb port.

  • @mr.wigglemunch3856
    @mr.wigglemunch3856 9 месяцев назад +1

    If I have two Yubikey's, recovery codes and the authenticator app, is it wise to remove the rest of the authentication methods like email and phone number verification?
    Also, in theory, if a hacker would simswapps my phone number, could he or she change all the other authentication methods in my Google account and make the first methods I mentioned useless??

    • @killer2600
      @killer2600 8 месяцев назад +2

      If you are confident in your recovery methods, it is not unwise to remove weak authentication methods like SMS and poorly secured e-mail (whether it's on the users or e-mail services end).

    • @mr.wigglemunch3856
      @mr.wigglemunch3856 8 месяцев назад

      @@killer2600 Right, thanks!

  • @rholmst
    @rholmst 9 месяцев назад

    I prefer google’s titan key.

  • @customer7903
    @customer7903 9 месяцев назад

    My issue is Yubico your review is not showing the full picture. It takes 2 weeks to have them delivered and if there is an issue then the buyer has to pay for return postage and also their customer service is very slow and on occasions I have had to write to them more than one to even get a reply!!!

  • @Summerbunny15
    @Summerbunny15 Год назад +6

    I would advise anyone using SMS as 2FA to activate mobile PIN lock - this is associated with your mobile phone number, so in the event your SIM is swapped, the bad actor cannot access your SMS messages as they would need the SIM PIN to unlock the fraudulent SIM on their device.

    • @killer2600
      @killer2600 8 месяцев назад

      With SIM swapping they don't actually take the SIM from your phone, they just get your phone company to send a new sim for your account to them. SIM pins only lock the sim card you have in your phone, they don't have any effect on the new SIM your phone company sends to the perp.

    • @Summerbunny15
      @Summerbunny15 8 месяцев назад

      @killer2600 - I'm aware they can't physically take the SIM from a phone in a SIM swap- however, as I said, the SIM PIN is associated with your phone number so they cannot use the fraudulent SIM to access your phone details on their device, as they will require a PIN. (I have a SIM PIN lock and everytime I switch my phone off and on again, I need to type my SIM PIN to get back into my phone- (it would be the same for a bad actor who swaps a SIM as the mobile number is migrated to the fraudulent SIM).

    • @Imw101
      @Imw101 7 месяцев назад

      @@Summerbunny15 SIM PIN stops your SIM being used in another deivice. SIM swap is when the criminals obtain a clone of your SIM

  • @bernardmueller5676
    @bernardmueller5676 Год назад

    Why YubiKey? Why not Fido Security Key? - BTW, pressing the key is not sufficient. You have to enter a password for the key.

    • @askleonotenboom
      @askleonotenboom  Год назад +2

      You may not have to enter a password for the key. (At least I don't). And YubiKey is just my example. There are other secure keys out there.

    • @killer2600
      @killer2600 8 месяцев назад

      For YOTP (Yubico One-Time Password) you don't have to enter a password. And why not just a FIDO security key? Because FIDO doesn't work across interfaces/connections that only permit keyboard character entries. That's where TOTP still shines and where YOTP was a hardware token game changer - with either OTP method one can implement 2FA in any interface that takes ascii keyboard characters.

    • @mrphillipzz
      @mrphillipzz 8 месяцев назад

      Yuubikey 5 series is Fido compatible

  • @autohmae
    @autohmae Год назад

    Yubikeys are in different types...

  • @TheSolderingGuy007
    @TheSolderingGuy007 8 месяцев назад

    I am completely lost on how this method is not seriously more insecure.
    The problem with a lost key is not how you would get in !!! its how to prevent the new owner from entering you account !!!
    Most current 2FA are not 2 factor but 3 factor. Eg. you need to 1. know the password, 2. you need to have the phone & 3. you need to be able to unlock the phone (fingerprint/face/pin).
    What am I missing ?

    • @askleonotenboom
      @askleonotenboom  8 месяцев назад +1

      I'm not sure where you're getting "more insecure". Hardware keys are more secure. Most current 2FA are two factor, even if you have to unlock your phone. 1) What you know (your password, AND your phone PIN), 2) What you have (your authenticator app). It can be seen as three factor if your phone unlocks with fingerprint or face ID (what you are).

    • @TheSolderingGuy007
      @TheSolderingGuy007 8 месяцев назад

      So you are accepting that a person who steals the key and guesses the password can access your account.
      With the phone, they would need your fingerprint or face as well (the '3rd' factor)
      And stealing this HW key will be much easier, since:
      1. People will leave/forget it plugged into their computer out of laziness or convenience.
      2. The nano keys do not have a key hole, so no way to 'tie' them with your car/house keys for protection.
      How is that not more insecure ?

    • @askleonotenboom
      @askleonotenboom  8 месяцев назад +1

      @@TheSolderingGuy007Those all seem like very low probability and easily avoidable events. (And remember, NO solution is 100% secure. No such thing.) More commonly people fall for phishing attempts, which can include catching 2FA codes from a phone in real time. A hardware key is impossible to phish - you need actual, physical, possession.

    • @TheSolderingGuy007
      @TheSolderingGuy007 8 месяцев назад

      @@askleonotenboom not convincing. but thanks for trying.

    • @killer2600
      @killer2600 8 месяцев назад

      There are 3 factors of authentication of identity: 1) Something you know e.g. password. 2) Something you have e.g. phone. 3) Something you are e.g. Fingerprint.
      Being able to unlock your phone with a pin/password makes it only 2 factor not 3. A password + a device + another password is still only needing to know your passwords and have your device which is 2 factors out of the 3.
      The risk of losing a Yubikey is lower than risk of your always-connected phone getting hacked with a zero-day exploit. Because of the convenience more people are exposed to internet-based hacking and over the phone/email scams everyday than they are to in-person theft. So physical items not connected to the internet are inherently more secure from those that we are most at risk to everyday. As for accidently losing a yubikey, it's a 2FA device which means it's one part of an authentication that requires two parts. The "new owner" would only have one part and wouldn't be able to log in presuming they would even know what accounts are associated with their new found key.
      TL;DR: Physical/offline security is vastly better than anything you do with your always connected to the world wide web smartphone. Even the best hackers in the world are foiled against a paper document laying on top of my desk - just can't quite make that last connection.

  • @IntraVortex
    @IntraVortex 18 дней назад

    They don’t work. Mine didn’t. The company sucks!

  • @ChibiKeruchan
    @ChibiKeruchan 10 месяцев назад +1

    yubi key is far easier to understand than the passkey 😂 simply because it has physical key (kind of thing) associated with it.
    also you can just leave it at home in your vault and is the best kind of physical thing you can pass to someone in a cool way. just imagine you die and your lawyer pay a visit to your family to tell them your last will and testament and in the process they gave them your Yubikey 😂😂😂😂

    • @utuber1000
      @utuber1000 9 месяцев назад

      I don't understand what I am supposed to imagine. Please explain. Okay, first my lawyer visits my family, then which is "them" and which is "they?" Are you saying my lawyer had the key and gave it to my family; or are you saying my family had the key and gave it to my lawyer? And why? The speaker in the video didn't say anything about all the passwords - where are they stored? Are you saying they are in the key? Or are you saying that with the key the family won't need the passwords? And is your scenario going to cause an argument amongst family members as to who gets the key? Or gets what? I thought the key only did 2FA not passwords.

  • @davidcopeland5789
    @davidcopeland5789 4 месяца назад

    What are the weaknesses of YubiKeys? If you have a backup key, you obviously can't keep both keys on the same keyring. Suppose one of the YubiKeys is on a keyring and you loose your keyring with all of your keys. Will the finder of your YubiKey have access to all of your accounts? Suppose it gets stolen. What then? Do you rush home, find your backup YubiKey and remove the YubiKey from all of your accounts? If you have a backup YubiKey in a secret place, do you have to always be concerned that someone may find your YubiKey and access all of your accounts?
    These are things we need to know. What are standard practices to avoid trouble?

    • @vmobile890
      @vmobile890 2 месяца назад

      Spare key to a borrowed summer home is around my neck in that last 20 years. My youbi key same or medical tape to my chest .

  • @viewitnow3539
    @viewitnow3539 4 месяца назад +1

    2.5 min in and you're just repeating what a yubikey is ffs get to the point

  • @dumptrump3788
    @dumptrump3788 9 месяцев назад

    So someone can come along, touch your Yubikey & it'll work anyway....yeah, really secure.

    • @askleonotenboom
      @askleonotenboom  9 месяцев назад +3

      If they have physical access, that's your mishandling, not theirs.

    • @portman8909
      @portman8909 9 месяцев назад +8

      Would you give someone your house key?