This is great information. I also notice one difference: most other youtubers who talk about YubiKeys recommend two keys - a primary and a backup. You are the first I've seen recommend more than one extra key. This is very helpful. The same as with data backups, keeping two extra copies is much safer. Maybe I will never need that third YubiKey, and it certainly cost extra money to buy 3 rather than only 2. But if two bad situations cause me to lose 2 keys before i can buy and setup a new one, at least I will still have that third key and won't be locked out.
Thank you. That clears up some confusion I had about the separation of FIDO2 and authenticator seeds on the device. I’m still trying to understand all the different PIN codes needed at the various login stages.
Thanks Gian! Very useful helping someone with what looks like a Microsoft PIN issue, as the error doesn't tell you / suggest / hint in the slightest that its the Yubikey pin thats blocked!
Having the ability to reset the account is always a good thing, but you need to keep those codes really secure. Actually i have 4 keys registered for all of my important accounts, one key is in a safe place in the house. :)
The challenge phrase A1B2C3 is not to verify that you are really infront of the computer. It is to make sure that you are actually entering the code you think you are. For example if you have the wrong keyboard layout without realizing.
I have many YubiKeys and to be honest I think they are more of a headache than a help. The basic keys that are not programmable are fine. However the programmable keys with multiple functions and yet only 2 slots are very risky in terms of locking yourself out of accounts especially if you are new and exploring the device. It's weird that the programmable key has 6 separate functions yet only two slots. Also there is something very flawed about not being able to generate the private keys yourself ... so we just have to trust YubiKey deletes the private keys after they have been burned on the device and don't keep a backdoor listing for NSA? ...yeah right, what's the point of having these if you are required to trust YubiKey ...the entire math of cryptography is bypassed
Thanks for the great videos regarding Yubikey. I had a question regarding FIDO2. Does it come with a default password (PIN?), if not can the key still be used without one?
Yes it has a default pin, usually if you do not change default one, the first software that configures the first FIDO2 identity usually suggest you to change the default.
Ideally when you set passkey you should delete all other ways of login because that is a “shared-secret” security hole that you are trying to avoid using passkeys. Else what is the point of using passkeys if you are opening a weaker access method anyway? Using multiple passkeys should help.
Question, can you demonstrate recovering a Microsoft Account with a Recovery Key? I'm curious to know some of the situations where you are asked for it, and what happens when you enter it.
@@codewrecks I have about 4 or 5 different authentication methods, including both the MIcrosoft Authenticator AND Authy, SMS, email, etc., plus the Authenticators are installed and synced between multiple devices. I am completely set and won't get locked out. I'm just asking out of curiosity because nobody ever demonstrates using the Recovery Key, it's literally not a thing you can find on the internet.
@@Damariobros If you means recovery codes, they are codes that can be used only once instead of the 2FA, so you can enter on your account and setup another 2FA (in the situation you lost all of your 2FA other methods).
@@codewrecks I know what recovery codes are and I store them properly. I know that they simply log you in in place of 2FA. But big tech has different recovery processes than most websites and I'm curious to know what that process is for Microsoft, when you have previously generated your 25 character Recovery Key. Does it just simply log you in or do they make you do something after using it? And, do they only let you enter it logging in, or are there other times you can enter it, maybe such as when trying to access your security settings and they ask you to verify yourself?
Hi, I have a question, does the option to log in just with the security key also works with the cheap one for arround 25 bucks or you need to buy the one with OTP arround 50 bucks? Thanks iin advance!
It should work according to the documentation. I always took the most expensive one because I use a lot yubico authenticator app too www.yubico.com/it/product/security-key-series/security-key-nfc-by-yubico-black/
@codewrecks Yes, 2 different computers. One a desktop and the other is a laptop. The nano came apart taking it out of the port. It was the 3rd key. The refunded that one.
@@codewrecks There customer service has been very good! Your video is very good. It is the only one I could find that explains all of this. Thank you for your content.
Very underrated video and is the only one out there that talks about real life usage of yubikey! No sponsorship or verbal diarrhea bs, keep it up!
This is great information. I also notice one difference: most other youtubers who talk about YubiKeys recommend two keys - a primary and a backup. You are the first I've seen recommend more than one extra key. This is very helpful. The same as with data backups, keeping two extra copies is much safer. Maybe I will never need that third YubiKey, and it certainly cost extra money to buy 3 rather than only 2. But if two bad situations cause me to lose 2 keys before i can buy and setup a new one, at least I will still have that third key and won't be locked out.
You have the best Yubikey videos ever please keep making them! watching all of them one by one
Thank you. That clears up some confusion I had about the separation of FIDO2 and authenticator seeds on the device. I’m still trying to understand all the different PIN codes needed at the various login stages.
Thanks Gian! Very useful helping someone with what looks like a Microsoft PIN issue, as the error doesn't tell you / suggest / hint in the slightest that its the Yubikey pin thats blocked!
thanks for sharing what happens! you've picked a good topic. this is something very important.
This is why you need two keys. You also need the account reset codes for your accounts so you can access.
Having the ability to reset the account is always a good thing, but you need to keep those codes really secure. Actually i have 4 keys registered for all of my important accounts, one key is in a safe place in the house. :)
Thank You! This was a very useful video as I was unaware of the YubiKey Manager!
The challenge phrase A1B2C3 is not to verify that you are really infront of the computer. It is to make sure that you are actually entering the code you think you are. For example if you have the wrong keyboard layout without realizing.
Thanks, I really got it wrong in the video.
My friend you saved my.....great video
I have many YubiKeys and to be honest I think they are more of a headache than a help. The basic keys that are not programmable are fine. However the programmable keys with multiple functions and yet only 2 slots are very risky in terms of locking yourself out of accounts especially if you are new and exploring the device. It's weird that the programmable key has 6 separate functions yet only two slots. Also there is something very flawed about not being able to generate the private keys yourself ... so we just have to trust YubiKey deletes the private keys after they have been burned on the device and don't keep a backdoor listing for NSA? ...yeah right, what's the point of having these if you are required to trust YubiKey ...the entire math of cryptography is bypassed
Great content, real life use case.
Very informative thankyou .
Thanks for the great videos regarding Yubikey. I had a question regarding FIDO2. Does it come with a default password (PIN?), if not can the key still be used without one?
Yes it has a default pin, usually if you do not change default one, the first software that configures the first FIDO2 identity usually suggest you to change the default.
Awesome video! clear.
Ideally when you set passkey you should delete all other ways of login because that is a “shared-secret” security hole that you are trying to avoid using passkeys. Else what is the point of using passkeys if you are opening a weaker access method anyway? Using multiple passkeys should help.
That is the reason why you need at least two keys so you can remove passwords and be sure you will not be locked out
Question, can you demonstrate recovering a Microsoft Account with a Recovery Key? I'm curious to know some of the situations where you are asked for it, and what happens when you enter it.
Actually the easier way is to configure Microsoft authenticator in case your keys are all lost.
@@codewrecks I have about 4 or 5 different authentication methods, including both the MIcrosoft Authenticator AND Authy, SMS, email, etc., plus the Authenticators are installed and synced between multiple devices. I am completely set and won't get locked out. I'm just asking out of curiosity because nobody ever demonstrates using the Recovery Key, it's literally not a thing you can find on the internet.
@@Damariobros If you means recovery codes, they are codes that can be used only once instead of the 2FA, so you can enter on your account and setup another 2FA (in the situation you lost all of your 2FA other methods).
@@codewrecks I know what recovery codes are and I store them properly. I know that they simply log you in in place of 2FA.
But big tech has different recovery processes than most websites and I'm curious to know what that process is for Microsoft, when you have previously generated your 25 character Recovery Key. Does it just simply log you in or do they make you do something after using it? And, do they only let you enter it logging in, or are there other times you can enter it, maybe such as when trying to access your security settings and they ask you to verify yourself?
You entered 4 incorrect pins twice, so a total of 8 time. Not 3 incorrect pins each time.
My bad, it is indeed 8 tentatives, with a different warning approaching 8
Hi, I have a question, does the option to log in just with the security key also works with the cheap one for arround 25 bucks or you need to buy the one with OTP arround 50 bucks? Thanks iin advance!
It should work according to the documentation. I always took the most expensive one because I use a lot yubico authenticator app too www.yubico.com/it/product/security-key-series/security-key-nfc-by-yubico-black/
ty bro u are the best
I have this message. Thanks for your video. I thought i would have to buy a new key.
If you entered wrong pin too many times you can simply reset the key as showed in the video, no need to buy a new key.
@@codewrecks Thanks a lot👍😉
great example
I want help to reset fido pin
Just download yubikey manager and you can reset the pin www.yubico.com/support/download/yubikey-manager/
Is 2 keys OK, or is 3. What is best number of keys to have? Thanks.
IMHO: 2 is minimum number that I'd like to have. 3 is better, but you can easily live with 2.
I think these are garbage. Both of the keys I received say failure to connect. I can not even set them up in the Yubikey manager.
Send back for replacement if they are defective. It is really strange to have 2 of them not working, have you tried on different machines/phones?
@codewrecks Yes, 2 different computers. One a desktop and the other is a laptop. The nano came apart taking it out of the port. It was the 3rd key. The refunded that one.
@@kimcrismon9882 so sorry to hear that, I have 5 keys and have friends uses them and never had problem. 😔
@@kimcrismon9882 So sorry to hear that, it seems that you somewhat found a faulted batch :(.
@@codewrecks There customer service has been very good!
Your video is very good. It is the only one I could find that explains all of this. Thank you for your content.