Just ran across this video... All I can say is THANK YOU! You did an amazing job at laying out what Yubikeys not only are, but the demos were off the chain! Keep up the great work sir!
Best balance between skimming over details to make it short and going way over time to make an exhaustive yet way too long video. Key points are covered. Points out of scope are stated as such. Points that have bigger implications and do need consideration at some point, are also made clear: things that make you think. Ideal balancing a critical yet confusing topic. Great vid.
You don't have to use the manual method to configure the same TOTP on all your YubiKeys, just switch between them while on the QR Code screen and enter the TOTP from the last key you configure to finish the respective service TOTP setup.
We have company issued Yubikeys for over 5 years and you are exactly right about how good they are. Even though I'm a very long time user, I am so glad you made this video. I have actually been wanting to use Yubikeys for my personal accounts, but hadn't invested the time to figure out how to set it up. So I've been using the MS and Google authenticators. But I prefer the yuibikey for the same reasons you cited. I was working in Germany a couple years ago and forgot my yubikey at home and needed access to our corporate VPN. We fortunately had an office a couple hours away and I was able to get a replacement through our IT. But I wasn't sure if I could setup a couple so I'd have a backup. I also wasn't sure about how to get it to work with a phone since my company issued yubikey is the USB A style. You really answered ALL my questions. I'm going to hit your link and pick up a few.
Yes, I am replying to my own post. I just received the 2x5NFC USB A's today that I ordered. I am even more positive now than before that this is what I needed as I spent a time over the weekend looking at the key capabilties. I am buying another 2 of them. I am getting a set for my wife for her to use for her accounts. As with most people, her security awareness is limited and it is pointless to preach about it to people. You just need to provide them with something secure and simple which this really does. It also means I can authorize all 4 on joint accounts so that if something happens to me she will have access to our accounts like gmail, 401k, banking etc. I work on numerous linux systems via putty and ssh and was very pleased I can use putty-cac as well even if the PC doesn't have a SmartCard slot. I tried it out earlier today on a few systems and works great. I had looked into SmartCard as an option about a year ago as a personal security solution, and dismissed it due to not working with phone and needing a reader among other shot-comings. I do use a CAC SmartCard for work, but only have the reader on my company issued laptop. This yubikey solves so many problems. I didn't know it had so many authentication choices. However, BEWARE - You need to get at least 2 and make sure you setup the additional keys or you WILL be locked out of your account if something happens to your main key. That should be made clear to someone considering this.
Regarding Tile, they work via bluetooth not GPS, so they will only give their location if they are near your phone (or near someone else's phone with the tile app). It works well for if you can't find your keys in your house or to check they're in a bag, much less useful for tracking a stolen bike.
For TOTP you can use the QR code to program multiple Yubikeys simply program one and do not put the code from the key into the site, then insert your second one and add it there two and once you've programed the last one then enter the code into the site. As an alternative for having multiple keys for TOTP you may copy the code or QR image and store it in an encrypted file using tools like GPG/OpenPGP but that is an other subject, sort of... it would have been nice to cover the PGP functions of the Yubikey as well, may be that can be a future video :).
If you do this I don't believe you'd be able to revoke them individually, i.e. in case you lost one. You'd just have to remove and re-add the one you still have.
@@ahensley on the contrary, in that case if you lose one key you can just get a new one and feed it the existing TOTP seed (the original QR code/secret code). This way you don't have to invalidate existing TOTPs and redo them all over again in both new and old keys. (If there is a chance that you lost a key to someone who also has access to your passwords then the correct thing to do is actually invalidate existing TOTPs and redo them, not reuse existing seeds)
been using a yubikey for years have a few of them. it's important to note if you set everything and then loss the key your going to have a problem. So its best to have two 1 you use and one you keep in a safe place with the same sites configured on it.
Now, this is neat. I never know those accounts are stored in the keys. I started using Authy last year because it can back-up my keys. But that means my secret codes are now on the cloud. I need that feature so I won't lose them whenever I reset my phone, which I do every time when it gets a major system upgrade. I don't lose my stuff easily, so having a key is better than having an app. Thank you for such an informative video.
You mentioned “losing” one of your Yubikeys. What’s the best practice for moving forward if you believe it to be truly lost or stolen? That would make a good video.
It depends on the account you lost. He briefly mentioned backup codes, I've seen that several times now that you get backup codes when you set up 2FA. Save those codes, and do not lose them. If you do, there may be no way back. I lost my Steam Authenticator, and had to contact support to get it straightened out. 2FA kind of worries me for that reason. Same problem with one time use texts, if you lose your number or your phone.
Get two yubikeys and lock one of them up in a safe place, many sites will let you register multiple MFA devices. So if you lose one you can log in with the other key, delete the lost one and register the replacement. On sites that do not allow that they will have some sort of backup code or method. Put that info in a safe place.
Simply buy ledger Nano s or Trezor T which only unlock after entering pin on the device. You only need to keep a 24 or 12 words backup if you lose your device, just buy another. They both offer Fido 2.
I'd love an answer to that too. How do you invalidate a Yubikey if it is lost or stolen, to stop it from being used maliciously, or is the only way to manually remove it from all your accounts? Is there no way to say "I no longer have this key, remove all the accounts from it"?
@@Anaerin Exactly - seems like you'd have to keep a list of everywhere it was registered and then go chasing them down manually. I know I won't do that (keep an up to date list)
I absolutely love my YubiKey. The only downfall is the lack of support on many sites and web apps on the u2f protocol. I have tried many times to push these hardware keys on UniFi, Synology or others. But they rarely respond on the request, due to lack of the user base usage. The more people keep asking for these requests. The faster it will be taken into consideration.
It’s a chicken or egg situation. No one wants to spend money on a piece of expensive junk that isn’t useful on more than a handful of sites that virtually no one uses. But no sites want to spend the resources to support Yubikey until more people buy them.
@@CCoburn3well, everyone has a google + most probably a msft account as well. Add twitter, github, facebook, and then its quite a meaningful list. Annoying that no others really support it, yesp, I acknowledge this.
Great video! It's worth noting that for most accounts, even if you miss typing in the code before it expires, as long as you know it, you can still enter it for some time (usually between 5 and 15 minutes). Obviously, as soon as it expires you can't see it anymore, but if you still remember it, you can still enter it.
The only problem I have found with my YubiKey 5 NFC is that not all companies have changed their 2FA to use hardware Authorization... I wish YubiCo would update owners when they add new partners. Otherwise I love YubiKeys. They are about to come out with a Fingerprint YubiKey.
I now have my two 5NFC YubiKeys "Smart-Card Enabled" on both of my Macs meaning that the only way I can log onto either computer is to physically insert the Key into a USB port & enter the PIN. Passwords no longer work. Pairing my keys to each computer was easy peasy. Getting the "Smart-Card Enabled" on my computers required the same effort Generals in WWII had in planning the D Day invasion. Apple articles are incomplete & I never did find or talk with a Senior Tech Advisor that had ever even dealt with the codes required that need to be entered in Terminal. Either Passwords or the YubiKey can be used to log into a computer if "Smart-Card Enabled" isn't enabled which seems to me to defeat the purpose of YubiKeys. Yes, I've just subscribed & rang the notification bell. Warm Regards from Reno, Nevada.
I do not recommend a second device over making sure you keep the security keys (which are the same as the QR codes) stored safely somewhere each time you set up 2FA. This is no different than saving the seed words for a cold storage wallet. A second device is a convenience but not protection.
BTW Tile will not locate your property by GPS, only Bluetooth, so it has to be within Bluetooth range to be located (pretty short range). You might get lucky and another Tile user may "find" it and share location with you.
I was intently listening to you describe why I should be using a Yubikey and looking at the artwork on the wall behind you. I know I am really tired and need more sleep but I thought I'd keep watching as long as I could and then it hit me as to why that artwork looked so familiar. When you terminate enough network cables in your life that you can do it in your sleep, things like the T-568B standard just becomes like a white wall or a white ceiling. It's there but you just don't see it and yet you known it there.
I’m a tech moron.... and was filled with dread at having to update my entire online security & password collection over various macs. This video has really helped ! I think I can now master this with a bit of time. Thanks 🙏
I'm just under two minutes into the video, I'm hopeful that this provides an answer about what to do if you break one, because I have been known to break tiny things like a USB Key, so that has been my biggest fear about them. I mean do you have a backup key? Can you make new backups if you need to use the backup because the original broke?
Yes if I were to use them I would and you can have multiple keys. Just like backups go for 3 keys one of which is off site but in a secure place. One on you, a replacement hidden somewhere in the house and another secured off site. He is actually wrong or misunderstood when it comes to having multiple token generators: just like backups you have a sequence of secure backup keys.
You can't make a backup of a Yubikey, each Yubikey will forever remain a separate key with its own identity. What you can do is have several Yubikeys affiliated with a single account such that losing one means you can use the other. Any lost key needs to be manually removed from an account/website.
There is an easier way to add TOTP to multiple Yubikeys. Use the Windows Snipping Tool utility to screen grab the entire QR code. With your first Yubikey, you add the new account then you double click on the Yubi authenticator app, then touch the Yubikey for your 6-digit code. Normally, once you enter this code, the QR screen vanishes because TOTP is set up for that one device. If you remove your Yubikey #1, and add in Yubikey #2 or #3 or what have you, so long as the Snip-it QR code that you copied is completely visible, you can auto add the same account to your backup Yubikeys. There is no need to manually enter the account on two or more Yubikeys. This works on Windows10, but I can't swear to whether other OS's will also work.
Nice Video, I got a yubikey a few months ago but I wasn't using it to it's full potential, this video helped me understand what are the capabilities, thanks!
Probably that it's faster than using authenticator apps on your smartphone. Also that he showed him how to use it since he was unaware of how they worked
I may be overly concerned about hackers, but personally I would not go with anything that is wireless when security is concerned. Wireless just provides one extra weak link in the chain. When using radio technology, i.e.: "NFC" I do suggest making yourself aware of the exact radius of that particular radio transmission.
I just use TOTP in 1Password, it gets filled in automatically along with the login so i don't even have to lookup the app/site, just need to have 1pass unlocked. This seems faster then yubikey, and works on all platforms. I understand that a HW key is more secure but i wouldn't call it faster or more convenient. Will probably end up getting it anyways to secure 1pass itself and some of the more critical logins:)
I think keeping one key in a safe is a waste. I have two keys and also have one on my keyring/chain but the other one is permanently in my home computer and that gives me flexibility. There's no need to store a key in a safe - just make sure you've got a backup of the 'manual' codes that you used to add the OTP account to both keys. If you want to be 'as secure" then you could always keep all these codes in a text file on a USB stick and keep that in the safe. You can then always use these to recreate them on a fresh key.
Google Authenticator now lets you log in and migrate devices, I believe. Edit: it requires the old device, but you can scan a QR code from the old device using the new device to migrate to the new device.
If you're lucky the old device hasn't suffered a hardware failure,fire,water damage,theft etc I had a charging port go on my Android phone and only realized by the end of the day that the thing wouldn't take a charge and had to literally make haste to get another old spare phone setup and migrate via QR . If I didn't notice it earlier I woulda been hosed pretty badly as I've got Google 2FA on pretty much everything.
All MFA apps allow you to migrate your accounts. All you need to know is backup/recovery codes that you were provided with the first time you signed in to the MFA app.
Thank you for that great product advertising. But I'm missing one topic completely: PGP transfered keys to the YubiKey: a) Usage in general b) What if you loose the YubiKey with the transferred private PGP key part? Just use the key backup that you hopefully did before transferring it? c) How do you revoke already published PGP keys from an lost YubiKey on the corresponding (public) PGP key servers? I'm currently struggling a bit with that YubiKey 5 NFC variant to use it with my PGP in order to sign or encrypt my mails on desktop client or on android client using the NFC interface...
Great video, thanks! I noticed that you are reading from a script, as your eyes are constantly moving from left to right. If you place the telepromter further away from your setup, it will become less noticable.
Chris, I love your videos and especially this one, I saw it maybe more than 10 times....and if you see the rest of the comments, I purchased two using your links. But l figured that yubikeys are NOT faster than any Authenticator app and let me tell you and prove you why: I spend a whole evening trying to setup my 2 yubikeys, a 5Ci that I will use as a backup (got the idea from you) and a 5C Nano for my laptop. Later on, I decide to go to bed as I had to wake up early next day. So while I’m on my bed and using my phone trying to fell asleep, I decide to check my unify network, by using the “Unifi Network” application but, it asked my for a 2 step authentication. Unifi was one of the first setups I did with Yubikey since I saw that also on your video. So the fact that I had to get up, go to the living room that I had my laptop and next to it my 5Ci yubikey, so I will put it on my phone, in order to login to Unifi Network app, make me realize that yubikeys are NOT faster than my Authy app which was still installed on my phone but without my Unifi auth, since I removed it once I install the auth on my yubikey. I never made it to my living room since it wasn’t so important to go, but definitely made me question my self why I should move from Authy app, to a yubikey. More secure? Probably....but I feel like you want a house without glass windows just for the ONE chance that burglars brake the windows and get in your house. Nobody is building a house without glass windows, right? Although the possibility is always there, that burglars can get in. I hope you understand my point! I will try to use my yubikeys since I bought them, but I don’t know how convenient they are to be honest.
Actually, many phones already have something like that build into it. So when your phone is unlocked, you can use it to log into systems. Both Android (since 7.x) and Apple. Apple and Windows laptops supposedly also support it. In Windows it's part of Windows Hello. In all cases I think they need to have a chip build in. Also Krypt Krypton might be an option.
Thank you so much, this vid is amazing. You answered every question I had about the different application types. Simply brilliant! I am so thankful for you and you sharing your time.
I wish they had a screen for totp, with out having to plug in the device into a machine for those areas that we can’t install software nor plug usb into them
I really like how the Steam authenticator 2FA works. No need to unlock your phone, when it detects you are trying to log in, it gives a lock screen notification that gives you the code
Somewhat vulnerable, anyone who can access your phone now has access to your accounts. A Yubikey is a physical hardware token that is, by its nature, air-gapped that is, not connected to the internet. Further, if connected to a PC it can be limited by requiring physical touch and/or a PIN code.
I was constantly thinking "something in the background looks familiar, but I can't pinpoint it... Then my eye fell on the frame hanging next to your youtube reward button thing, and it clicked :D
@fuck google It's a wiring diagram for Ethernet cables www.google.com/search?q=ethernet+wiring+diagram&sxsrf=ALeKk00UdIyMZp6J_v1JjfzmBKeHK0SxRQ:1606463841336&tbm=isch&source=iu&ictx=1&fir=d3PlvGVMrC5arM%252CV-i5CBR7Nb_OJM%252C_&vet=1&usg=AI4_-kSGgTtbv7cz3tvqafq7529zknD0IA&sa=X&ved=2ahUKEwj3vO2UoKLtAhWNmKQKHeGNA50Q9QF6BAgCEFU&biw=1536&bih=722#imgrc=d3PlvGVMrC5arM
07:50 I disagree, having a further layer of security or two to get in to the authenticator increases security. How many people are going to type in 6 numbers wrong? There is a huge security issue of having Yubico putting things on the clipboard, especially when malware is looking for that.
"I had a half-dozen yubikeys on my desk that I never used until Yubico contacted me to join their affiliate program, but the affiliate program had no influence on my endorsement of their product."
Looks like Yubidoobie is pumping loads of cash in influencing YT influencers. It’s Yubikey! wherever you go. Check out Rob Braxman for some real security tech.
Thanks for your video. It was very informative. PS. Steam game plataform uses a TOTP, but only in its own application. And let's not forgget banks, but they're thier own class.
I love using my Yubikeys and now they've brought out a model with a fingerprint reader, so... *TRIPLE* Factor for the win! Something you know, something you have, something you are!
Yes I bought two and they have been lying on my desk for two years as I tried to use and got all mixed up so hopefully I will be able to understand how to use (haven't listened to your clip yet).
I have some old Yubikey 4 as well as old Feitian and Titan keys when I turned on advanced protection on Google. But seeing your demonstration of the YubiKey authenticator, I've now purchased five of the YubiKey 5 FIPS keys and am excited to try them out. Something interestingly different is that the secrets are now (since YubiKey 5) are stored directly on the key instead of on your application. This will make it easier to use secrets from different devices without trusting a cloud service like Authy to keep the private keys on their servers.
You should remove the safe from your master bedroom closet and put it somewhere else, especially since you announced it on RUclips. Thieves know that is the number one place to find a safe and they can get in and out with it in 5 minutes. They get more nervous by the minute as they are searching the house though so if you choose a less obvious place they will more likely give up and run away.
Great video, but I'm not convinced it's better for personal use, you really can't beat something like 1password's cmd+/ (mac) or ctrl+/ (windows) key combo which fills your username, password, and when using OTP, the 2FA code when prompted. One and done. Also integrates into Safari and Chrome for iOS or Android. Truly a one-stop password app. Not to mention, it's stored in an encrypted vault, so it's shared between ALL your devices. Lastly, no limit on the number of sites you can use 2FA on. Yubikey seems good for large-scale 2FA implementations, but not for personal use... IMO
I think a middleground is perfect. Use yubikey for 1password and let 1password handle all other 2fa. I just googled and think it should work. You'd have the best of both worlds imo.
I think Chris got this wrong in his video. I'm not an expert on this, but I spent some time researching this because I wanted to know the technical details. If you're looking to replace authenticator apps that generate TOTP codes, a Yubikey or similar device can actually be used for an unlimited number of services. The 25 slot limit is for "Resident Keys" which are used for entirely password-less authentication schemes.
You totally can use the QR codes to setup multiple keys, the same way you used the secret to set them up manually. 1. Open website with QR code 2. Insert key A and scan the QR code, but do *NOT* enter the generated code on the website to complete the setup at this stage 3. Remove key A from the computer/phone 4. Insert key B and scan the QR code 5. Use either key to generate a code, enter that on the website to confirm setup & finish the websites setup steps
Agreed, this is how I did it. Note other people retain (in a secure place) the QR Code or manual secret in perpetuity for the convenience of later registration of "key C" in the future.
Thank you, this took me over the top, I ordered Yubikeys (from your link, of course) for the family. One question remains. What happens with the lost backup Yubikey? Do you have to reset all the logins?
1) In regard to ruclips.net/video/ybn9J4QCqK4/видео.html , there is no limit for the number of "U2F/FIDO1" services your yubikey can be connected with. The 25 slots is in regards to FIDO2/webauthn when using "key attestation". As far as I know, this is pretty much limited to password-less services, like Microsoft. 2) TOTP can be phished. If you accidentally log into a fake site and enter in your user+pass+TOTP code, the attacker can log in. You can't do that with U2F/webauthn. Since Google has switched to forcing their 100,000+ employees to use U2F, they have no had a single successful phishing attack. 3) TOTP requires the service to use proper rate limiting. As anyone can clearly see, nearly every site only uses 6 digit TOTP codes. That's only 1 million combinations for any given 30 second window. There have been attacks on services where the attacker just brute forced the TOTP code by trying every code within a 30 second window and was able to bypass TOTP in a matter of seconds. I assume most big players properly implement login rate limiting, but I'm too afraid to test because I don't want to get blocked. And good luck finding any information about such things for a given service. 4) Yubikey/U2F actually uses the same kind of tech as HTTPS. Except instead of your browser validating the HTTPS certificate really is for youtube.com, it's the service validating that the certificate really is for your yubikey. 5) There are cheaper alternatives to yubikey, but they have lesser security ratings if that matters to you. Yubico has designed their devices to be tamper evident and nearly impossible to hack if someone gained access to it. Either way, a U2F security key is much stronger than TOTP.
I was stumbling over the 25 slot limit myself while researching this. A lot of people seem to get this wrong (I did, too). Imo this is not properly explained on the Yubico website and also in technical talks I've seen from the likes of Black Hat. It's a nice example of the Dunning-Kruger effect: First I was impressed that it can work with an unlimited number of services. Then I read about that 25 slot limit, which actually refers to Resident Keys, and thought about how 2FA for an unlimited number of services could even be possible if the security key needs to store a unique secret for each service. Now I know that the service actually stores the private key in an encrypted form and passes it to the security key after password authentication (at least I think that's how it works).
It would be nice to see them integrate biometric authentication into it (an advantage of the smartphone) would also be nice if soft token MFAs got more into MFA push notifications for wearable devices. (Giving you the same one touch MFA experience as the ubikey).
One method for using TOTP as a backup is copying the secrets used aside from the QR code into a text file and keeping that on a secure flash drive. If your primary authentication method is compromised you can use the secrets to temporarily set up an authenticator app to regain access.
I have a Yubikey for work and I can't imagine doing my job without it at this point--I probably average 50 MFAs every day... Back when I was still driving into the office most days it was super painful if I forgot my key at home and had to use my Duo app. Still haven't made the switch for my personal stuff though.... hmmmm....
Hmm... Doesn't leaving the key plugged into your PC with the app running kind of defeat the object? Not unlike leaving your password on a post-it note under your keyboard really :-0
It would still need to be tapped by your fingers to activate… but yes, this has crossed my mind as well. For that I personally would steer clear of the “leave-in” ones… though i think the concerns are irrational for most security threats.
In fact no, and thats why things like the trusted platform module and ssh keys exist, its just a second factor so if somebody wanted to hack your account they need your password too, or the other way around if they have your password they would need to hack the pc too to get the login done, but the yubikey requires button confirmation before login so thats fixed too
So what about the best practices for: * when you LOSE a Ubikey? Rvocation recommendations? * Work vs Personal Yubikey * SSH keys * PGP/GPG Crypto keys ? * Large crypto keys (>4096bit)?
Gotta love RUclips recommendation: Up next: Breaking FIDO: Are Exploits in There? From Black Hat In all honesty I'm still slightly skeptical. I personally still only use passwords, and don't login on computers that I don't own/control. if I'm ever out and going and need to login to my bank or something like that I just use no-machine to connect back to my server at home and login thought that. I'm still not sure how trustworthy a for profit authentication company can be, when you have major player like google joining on the standards. I don't think there's a major security issue, I just don't think it's mature enough, on one side Google is fucked up, on the other Google (and other major players) have too much to lose if they start loosing reputation, so I don't think they would mess with authentication, but who's to say Yubikey can be trusted to not fuck up their protocol and chips being fundamentally flawed. The issue I have with all those passwords and double, triple checking of identity is that at the end they tend to try and make it easier to actually authenticate, and people end up using a 4 digit pin set to 0000, 1111, 1234 because some company made their old password insecure by forcing them to change it, make it too complicated, and have a trillion different login portals.
Too much of a hassle.. Bitwarden extension for Chrome will copy the totp to the Clipboard automatically after you select the website you are currently trying to log into. A lot less steps and I don't have to worry about loosing the yubi key or keep a back up in my safe!. May be great for business to force the employee to carry this extra key, that will most likely get lost. As an added security step. For regular folks like me, it's not worth it. All your negative points of using software base authentication saying it takes to many steps to use your cellphone and then type to the screen and hope you don't make a typo are all nullify by using in my case bitwarden browser extension.. Great video. You just convinced me even more why it's not for me.
On the subject of having more than 1 Yubikey configured per site with the Yubico Authenticator, what I do is go through the process of letting the Yubico Authenticator recognise the on-screen QR code, for each Yubikey, but only confirming the authentication code with the site after the last Yubikey is configured. Works fine. I prefer this method, because the manual method sometimes does not work, because the algorithms used to generate the authentication codes, are not always the same for each site (there are multiple standard methods) and I am yet to find any site which actually states which method they're using. Scanning the QR code gets around this problem, as it seems that the method used is encoded within the QR code.
Question: If you're using a Yubikey to unlock your android then you have to get it out and stick it into the USB-C slot each time the android times-out on its own, which commonly happens when the phone is set down for any number of reasons, or when the user only needs to look something up quickly, then turns it off after doing so. The usual scenario is the user swiping the screen, then tapping in the pin, then going in for whatever reason. So with the security key enabled, the user has to tap in the pin, then get the key out and stick it in. This scenario can occur several times an hour, certainly a dozen or so per day....I use a clamshell key case with a zipper that I need two hands for, and if I carry the key in it I'd need to set things down, get out the case, unzip it, deploy the key, zip the case back up, pocket it and proceed.......way too tedious.....advice? Thanks in advance, Joe
You could use the NFC version which only requires you to tap the phone on the back, also there are often options to "trust a device" such that you do not have to use your second factor either indefinitely or for a defined period ("don't ask me for 1 month etc").
Best Yubikey video ever. I learned about this from a podcast but they just flew over the topic so fast I couldn't tell what to do with the damn thing; only that it was 2fa. Now I have a reason to buy a few to use for more security. I don't like using my phone for 2fa because I don't really trust the phone's os.
Hello, you mentioned PIN on your Yubikey a few times; when would one use the PIN for the Yubikey? Is it FIDO or FIDO2, or both? When should the PIN be set up, and where and how is the PIN setup done?
Hey Chris, are you sure about being able to backup TOTP codes to multiple yubikeys? I'm not able to reproduce that. I bought two keys (a 5 NFC and a 5 Nano) and set up 2FA on my Ubiquiti account, exactly as you do in the video. But when I add the code from the Ubiquiti page manually to each of my two keys, they generate different codes. You have to copy one of the generated codes back to the Ubiquiti page to complete the process, and only the key that generated that code will work for logging back in. I hope I'm missing something because I bought these two keys because you said I could have a backup... :)
Thank you for explaining. I Just ordered a yubikey 5 nano yesterday. Unfortunately I only found your video today or I would have bought through your link.
Just ran across this video... All I can say is THANK YOU! You did an amazing job at laying out what Yubikeys not only are, but the demos were off the chain! Keep up the great work sir!
For your time codes to automatically put "chapters" on your timeline, you have to put a 0:00 time code in the list. Great video!
yeah at 25:30 I was like, 'this is really good, but I gotta go'
Best balance between skimming over details to make it short and going way over time to make an exhaustive yet way too long video. Key points are covered. Points out of scope are stated as such. Points that have bigger implications and do need consideration at some point, are also made clear: things that make you think. Ideal balancing a critical yet confusing topic. Great vid.
You don't have to use the manual method to configure the same TOTP on all your YubiKeys, just switch between them while on the QR Code screen and enter the TOTP from the last key you configure to finish the respective service TOTP setup.
Very useful. I too had Yubikeys on hand waiting to understand how to use them. Multiple keys per account info helped alot.
I've always found Ubikey's own documentation to be fairly obtuse. Thanks for the clearest explanation yet.
We have company issued Yubikeys for over 5 years and you are exactly right about how good they are. Even though I'm a very long time user, I am so glad you made this video. I have actually been wanting to use Yubikeys for my personal accounts, but hadn't invested the time to figure out how to set it up. So I've been using the MS and Google authenticators. But I prefer the yuibikey for the same reasons you cited. I was working in Germany a couple years ago and forgot my yubikey at home and needed access to our corporate VPN. We fortunately had an office a couple hours away and I was able to get a replacement through our IT. But I wasn't sure if I could setup a couple so I'd have a backup. I also wasn't sure about how to get it to work with a phone since my company issued yubikey is the USB A style. You really answered ALL my questions. I'm going to hit your link and pick up a few.
Yes, I am replying to my own post. I just received the 2x5NFC USB A's today that I ordered. I am even more positive now than before that this is what I needed as I spent a time over the weekend looking at the key capabilties. I am buying another 2 of them. I am getting a set for my wife for her to use for her accounts. As with most people, her security awareness is limited and it is pointless to preach about it to people. You just need to provide them with something secure and simple which this really does. It also means I can authorize all 4 on joint accounts so that if something happens to me she will have access to our accounts like gmail, 401k, banking etc. I work on numerous linux systems via putty and ssh and was very pleased I can use putty-cac as well even if the PC doesn't have a SmartCard slot. I tried it out earlier today on a few systems and works great. I had looked into SmartCard as an option about a year ago as a personal security solution, and dismissed it due to not working with phone and needing a reader among other shot-comings. I do use a CAC SmartCard for work, but only have the reader on my company issued laptop. This yubikey solves so many problems. I didn't know it had so many authentication choices. However, BEWARE - You need to get at least 2 and make sure you setup the additional keys or you WILL be locked out of your account if something happens to your main key. That should be made clear to someone considering this.
@@rexjuggler19 there are recovery codes in the event u lose your physical keys
Regarding Tile, they work via bluetooth not GPS, so they will only give their location if they are near your phone (or near someone else's phone with the tile app). It works well for if you can't find your keys in your house or to check they're in a bag, much less useful for tracking a stolen bike.
For TOTP you can use the QR code to program multiple Yubikeys simply program one and do not put the code from the key into the site, then insert your second one and add it there two and once you've programed the last one then enter the code into the site. As an alternative for having multiple keys for TOTP you may copy the code or QR image and store it in an encrypted file using tools like GPG/OpenPGP but that is an other subject, sort of... it would have been nice to cover the PGP functions of the Yubikey as well, may be that can be a future video :).
If you do this I don't believe you'd be able to revoke them individually, i.e. in case you lost one. You'd just have to remove and re-add the one you still have.
@@ahensley on the contrary, in that case if you lose one key you can just get a new one and feed it the existing TOTP seed (the original QR code/secret code). This way you don't have to invalidate existing TOTPs and redo them all over again in both new and old keys. (If there is a chance that you lost a key to someone who also has access to your passwords then the correct thing to do is actually invalidate existing TOTPs and redo them, not reuse existing seeds)
"Scanning" the desktop screen by the desktop app is a pretty neat little usability hack! I haven't been using the app but now I'm sold on it 🤓
Thanks, Chris! Using them already for about 3 years but managed to find some new things watching your video!
Great to hear!
been using a yubikey for years have a few of them. it's important to note if you set everything and then loss the key your going to have a problem. So its best to have two 1 you use and one you keep in a safe place with the same sites configured on it.
Thank you for your thorough summary of Yubikeys and set up. Bravo!!
Now, this is neat. I never know those accounts are stored in the keys. I started using Authy last year because it can back-up my keys. But that means my secret codes are now on the cloud. I need that feature so I won't lose them whenever I reset my phone, which I do every time when it gets a major system upgrade. I don't lose my stuff easily, so having a key is better than having an app. Thank you for such an informative video.
You mentioned “losing” one of your Yubikeys. What’s the best practice for moving forward if you believe it to be truly lost or stolen? That would make a good video.
It depends on the account you lost. He briefly mentioned backup codes, I've seen that several times now that you get backup codes when you set up 2FA. Save those codes, and do not lose them. If you do, there may be no way back. I lost my Steam Authenticator, and had to contact support to get it straightened out. 2FA kind of worries me for that reason. Same problem with one time use texts, if you lose your number or your phone.
Get two yubikeys and lock one of them up in a safe place, many sites will let you register multiple MFA devices. So if you lose one you can log in with the other key, delete the lost one and register the replacement. On sites that do not allow that they will have some sort of backup code or method. Put that info in a safe place.
Simply buy ledger Nano s or Trezor T which only unlock after entering pin on the device. You only need to keep a 24 or 12 words backup if you lose your device, just buy another. They both offer Fido 2.
I'd love an answer to that too. How do you invalidate a Yubikey if it is lost or stolen, to stop it from being used maliciously, or is the only way to manually remove it from all your accounts? Is there no way to say "I no longer have this key, remove all the accounts from it"?
@@Anaerin Exactly - seems like you'd have to keep a list of everywhere it was registered and then go chasing them down manually. I know I won't do that (keep an up to date list)
Wow, great video! Extremely informative, very well edited. This was exactly what I needed, thank you!
I absolutely love my YubiKey. The only downfall is the lack of support on many sites and web apps on the u2f protocol. I have tried many times to push these hardware keys on UniFi, Synology or others. But they rarely respond on the request, due to lack of the user base usage. The more people keep asking for these requests. The faster it will be taken into consideration.
It’s a chicken or egg situation. No one wants to spend money on a piece of expensive junk that isn’t useful on more than a handful of sites that virtually no one uses. But no sites want to spend the resources to support Yubikey until more people buy them.
@@CCoburn3well, everyone has a google + most probably a msft account as well. Add twitter, github, facebook, and then its quite a meaningful list. Annoying that no others really support it, yesp, I acknowledge this.
Great video! It's worth noting that for most accounts, even if you miss typing in the code before it expires, as long as you know it, you can still enter it for some time (usually between 5 and 15 minutes). Obviously, as soon as it expires you can't see it anymore, but if you still remember it, you can still enter it.
that's a hazard if u think about it
The only problem I have found with my YubiKey 5 NFC is that not all companies have changed their 2FA to use hardware Authorization... I wish YubiCo would update owners when they add new partners. Otherwise I love YubiKeys. They are about to come out with a Fingerprint YubiKey.
I now have my two 5NFC YubiKeys "Smart-Card Enabled" on both of my Macs meaning that the only way I can log onto either computer is to physically insert the Key into a USB port & enter the PIN. Passwords no longer work.
Pairing my keys to each computer was easy peasy. Getting the "Smart-Card Enabled" on my computers required the same effort Generals in WWII had in planning the D Day invasion. Apple articles are incomplete & I never did find or talk with a Senior Tech Advisor that had ever even dealt with the codes required that need to be entered in Terminal.
Either Passwords or the YubiKey can be used to log into a computer if "Smart-Card Enabled" isn't enabled which seems to me to defeat the purpose of YubiKeys.
Yes, I've just subscribed & rang the notification bell.
Warm Regards from Reno, Nevada.
Funny, I just finished setting mine up last night! Ordered two more for my parents.
I do not recommend a second device over making sure you keep the security keys (which are the same as the QR codes) stored safely somewhere each time you set up 2FA. This is no different than saving the seed words for a cold storage wallet. A second device is a convenience but not protection.
Love the 568B artwork on your wall.
BTW Tile will not locate your property by GPS, only Bluetooth, so it has to be within Bluetooth range to be located (pretty short range). You might get lucky and another Tile user may "find" it and share location with you.
Second Yubikey just got here, third is on the way, love them.
Excellent!
I just got the 5 NFC and answered EVERY question I had (spent hours trying to connect the dots)...
Thanks a bunch!
Great video! I use the 5ci as primary and 5 NFC as secondary. I also have my PGP keys on my 5ci.
I purchased 5 NFC and 5C NFC. I'm ready to set them up now that I lost my job.
I wish I found you before and used your link. Great video!
The acting for the google Authenticator is top notch lol. Great video!
I was intently listening to you describe why I should be using a Yubikey and looking at the artwork on the wall behind you. I know I am really tired and need more sleep but I thought I'd keep watching as long as I could and then it hit me as to why that artwork looked so familiar. When you terminate enough network cables in your life that you can do it in your sleep, things like the T-568B standard just becomes like a white wall or a white ceiling. It's there but you just don't see it and yet you known it there.
Must have for Emails and Password managers. I just wished more websites would support security keys.
Especially banks. Wish my bank and credit union would support it 😭
If you kept it going till now you have all the respect that I can give
Chris U have converted me to this yubikey, Thanks
i feel much safer now , great vid
I’m a tech moron.... and was filled with dread at having to update my entire online security & password collection over various macs.
This video has really helped !
I think I can now master this with a bit of time. Thanks 🙏
I'm just under two minutes into the video, I'm hopeful that this provides an answer about what to do if you break one, because I have been known to break tiny things like a USB Key, so that has been my biggest fear about them. I mean do you have a backup key? Can you make new backups if you need to use the backup because the original broke?
Yes if I were to use them I would and you can have multiple keys. Just like backups go for 3 keys one of which is off site but in a secure place. One on you, a replacement hidden somewhere in the house and another secured off site. He is actually wrong or misunderstood when it comes to having multiple token generators: just like backups you have a sequence of secure backup keys.
Good
You can't make a backup of a Yubikey, each Yubikey will forever remain a separate key with its own identity. What you can do is have several Yubikeys affiliated with a single account such that losing one means you can use the other. Any lost key needs to be manually removed from an account/website.
@@3QuaNiMiTyyExactly like that! This should be a 1st pinned comment under this video!
There is an easier way to add TOTP to multiple Yubikeys. Use the Windows Snipping Tool utility to screen grab the entire QR code. With your first Yubikey, you add the new account then you double click on the Yubi authenticator app, then touch the Yubikey for your 6-digit code. Normally, once you enter this code, the QR screen vanishes because TOTP is set up for that one device. If you remove your Yubikey #1, and add in Yubikey #2 or #3 or what have you, so long as the Snip-it QR code that you copied is completely visible, you can auto add the same account to your backup Yubikeys. There is no need to manually enter the account on two or more Yubikeys. This works on Windows10, but I can't swear to whether other OS's will also work.
@16:46 - The collectable value on that special edition key dropped 99% the second you opened the original packaging. ;)
Thanks Chris, great presentation. Have had a Yubikey for several years but only used it a few times so this was a great refresher.
Great video, thank you for giving this profound overview.
Glad you enjoyed it!
Awesome, just the video I was looking for. Bonus that all the abbreviations are explained as well!
Is it recommended to buy two keys per user in an enterprise setting? Users are notorious for losing things 😅
Nice Video, I got a yubikey a few months ago but I wasn't using it to it's full potential, this video helped me understand what are the capabilities, thanks!
When you talked with your yubikey engineer friend what did he say that made you use it.
Probably that it's faster than using authenticator apps on your smartphone. Also that he showed him how to use it since he was unaware of how they worked
Thank you for that great overview and answering all of my questions before i could even ask them.
Dangit Chris! I’ve been thinking about doing this for a while. 5C NFC is ordered.
I may be overly concerned about hackers, but personally I would not go with anything that is wireless when security is concerned. Wireless just provides one extra weak link in the chain. When using radio technology, i.e.: "NFC" I do suggest making yourself aware of the exact radius of that particular radio transmission.
@@Inertia888 Just the info I was looking for, thanks m8!
@@Inertia888 got credit/debit card?
@@johnzoidberg9764 yes, I do. and I change my numbers every few months just in case it has been compromised.
I just use TOTP in 1Password, it gets filled in automatically along with the login so i don't even have to lookup the app/site, just need to have 1pass unlocked. This seems faster then yubikey, and works on all platforms. I understand that a HW key is more secure but i wouldn't call it faster or more convenient. Will probably end up getting it anyways to secure 1pass itself and some of the more critical logins:)
I like the grumpy man typing google authenticator code.
I use ubikey. I like it.
I think keeping one key in a safe is a waste. I have two keys and also have one on my keyring/chain but the other one is permanently in my home computer and that gives me flexibility. There's no need to store a key in a safe - just make sure you've got a backup of the 'manual' codes that you used to add the OTP account to both keys. If you want to be 'as secure" then you could always keep all these codes in a text file on a USB stick and keep that in the safe. You can then always use these to recreate them on a fresh key.
I can’t look at that painting in the background without thinking of pixie sticks.
It's the wiring order for a ethernet connector
Pristine clear and relevent tube. Thanks so much for such a nice review of the Yubikey products !
Google Authenticator now lets you log in and migrate devices, I believe.
Edit: it requires the old device, but you can scan a QR code from the old device using the new device to migrate to the new device.
That's great news! Excellent update. Still...I would never go back because it can't do FIDO or other enhanced types of 2FA.
@@CrosstalkSolutions I couldn't agree more! Just wanted to point it out.
If you're lucky the old device hasn't suffered a hardware failure,fire,water damage,theft etc
I had a charging port go on my Android phone and only realized by the end of the day that the thing wouldn't take a charge and had to literally make haste to get another old spare phone setup and migrate via QR . If I didn't notice it earlier I woulda been hosed pretty badly as I've got Google 2FA on pretty much everything.
All MFA apps allow you to migrate your accounts. All you need to know is backup/recovery codes that you were provided with the first time you signed in to the MFA app.
@@OlegObukhov up until this year, Google Authenticator did not. You'd have to redo every account...
Thank you for that great product advertising. But I'm missing one topic completely: PGP transfered keys to the YubiKey:
a) Usage in general
b) What if you loose the YubiKey with the transferred private PGP key part? Just use the key backup that you hopefully did before transferring it?
c) How do you revoke already published PGP keys from an lost YubiKey on the corresponding (public) PGP key servers?
I'm currently struggling a bit with that YubiKey 5 NFC variant to use it with my PGP in order to sign or encrypt my mails on desktop client or on android client using the NFC interface...
Where can I get that shirt? Need!
Same, LINK!!!!
I trust you recognize its from the Chromium browser's unreachable-location minigame? :-)
probably not online...
TEEPUBLIC has several designs. I like this one www.teepublic.com/t-shirt/2053315-chrome-t-rex-dinosaur-rawr
make a stencil out of lego and ink stamp it on....
Great video, thanks! I noticed that you are reading from a script, as your eyes are constantly moving from left to right. If you place the telepromter further away from your setup, it will become less noticable.
Nice! Yes more like this. Timely too, I cleaned out a desk drawer and found some unused Yubikeys, they are getting put into place pronto.
I envy your over-the-average financial status, that you have MULTIPLE unused ~100 USD ea. hardware "just laying" in your drawer, collecting dust.
Chris, I love your videos and especially this one, I saw it maybe more than 10 times....and if you see the rest of the comments, I purchased two using your links.
But l figured that yubikeys are NOT faster than any Authenticator app and let me tell you and prove you why:
I spend a whole evening trying to setup my 2 yubikeys, a 5Ci that I will use as a backup (got the idea from you) and a 5C Nano for my laptop. Later on, I decide to go to bed as I had to wake up early next day. So while I’m on my bed and using my phone trying to fell asleep, I decide to check my unify network, by using the “Unifi Network” application but, it asked my for a 2 step authentication. Unifi was one of the first setups I did with Yubikey since I saw that also on your video.
So the fact that I had to get up, go to the living room that I had my laptop and next to it my 5Ci yubikey, so I will put it on my phone, in order to login to Unifi Network app, make me realize that yubikeys are NOT faster than my Authy app which was still installed on my phone but without my Unifi auth, since I removed it once I install the auth on my yubikey.
I never made it to my living room since it wasn’t so important to go, but definitely made me question my self why I should move from Authy app, to a yubikey.
More secure? Probably....but I feel like you want a house without glass windows just for the ONE chance that burglars brake the windows and get in your house.
Nobody is building a house without glass windows, right? Although the possibility is always there, that burglars can get in.
I hope you understand my point!
I will try to use my yubikeys since I bought them, but I don’t know how convenient they are to be honest.
Up next: Built in yubikey into cellphone for additional $300 for easy access
🤣👍
Google has already done this. The Titan chip is in some Google phones.
The basic hardware is there already, in sim cards.
Actually, many phones already have something like that build into it. So when your phone is unlocked, you can use it to log into systems. Both Android (since 7.x) and Apple. Apple and Windows laptops supposedly also support it. In Windows it's part of Windows Hello. In all cases I think they need to have a chip build in. Also Krypt Krypton might be an option.
Your reenactment of using yukikeys was amazing and had me loling
Really good content, thanks. If the key is stolen how difficult would it be to retrieve stored data?Are the data encrypted on the key?
Thank you so much, this vid is amazing. You answered every question I had about the different application types. Simply brilliant! I am so thankful for you and you sharing your time.
I wish they had a screen for totp, with out having to plug in the device into a machine for those areas that we can’t install software nor plug usb into them
I’ve used the NFC on some secure industrial machines
RSA hardware keys exist.
@@deusexaethera Are you saying you can use RSA keys with Yubikey? I have extra RSA keys and didn't think this was possible
I really like how the Steam authenticator 2FA works. No need to unlock your phone, when it detects you are trying to log in, it gives a lock screen notification that gives you the code
Somewhat vulnerable, anyone who can access your phone now has access to your accounts. A Yubikey is a physical hardware token that is, by its nature, air-gapped that is, not connected to the internet. Further, if connected to a PC it can be limited by requiring physical touch and/or a PIN code.
I was constantly thinking "something in the background looks familiar, but I can't pinpoint it...
Then my eye fell on the frame hanging next to your youtube reward button thing, and it clicked :D
@fuck google It's a wiring diagram for Ethernet cables www.google.com/search?q=ethernet+wiring+diagram&sxsrf=ALeKk00UdIyMZp6J_v1JjfzmBKeHK0SxRQ:1606463841336&tbm=isch&source=iu&ictx=1&fir=d3PlvGVMrC5arM%252CV-i5CBR7Nb_OJM%252C_&vet=1&usg=AI4_-kSGgTtbv7cz3tvqafq7529zknD0IA&sa=X&ved=2ahUKEwj3vO2UoKLtAhWNmKQKHeGNA50Q9QF6BAgCEFU&biw=1536&bih=722#imgrc=d3PlvGVMrC5arM
07:50 I disagree, having a further layer of security or two to get in to the authenticator increases security. How many people are going to type in 6 numbers wrong?
There is a huge security issue of having Yubico putting things on the clipboard, especially when malware is looking for that.
"I had a half-dozen yubikeys on my desk that I never used until Yubico contacted me to join their affiliate program, but the affiliate program had no influence on my endorsement of their product."
😂😂😂😂
Looks like Yubidoobie is pumping loads of cash in influencing YT influencers.
It’s Yubikey! wherever you go.
Check out Rob Braxman for some real security tech.
Still doesn't change the fact that hardware 2FA is much more safer and reliable compared to software/SMS alternatives when used correctly.
Thanks for your video. It was very informative.
PS. Steam game plataform uses a TOTP, but only in its own application. And let's not forgget banks, but they're thier own class.
Thank you for the informative video. I was wondering if Google accepts Yubi Key for logging into Gmail, Google Account, etc.
Yes they do
Thanks for the video. Frankly, John Q Public has no chance. You answered my question about losing the key and I love the tile idea.
I love using my Yubikeys and now they've brought out a model with a fingerprint reader, so... *TRIPLE* Factor for the win!
Something you know, something you have, something you are!
..too bad its FIDO-only! No OTP, no PIV.
Yes I bought two and they have been lying on my desk for two years as I tried to use and got all mixed up so hopefully I will be able to understand how to use (haven't listened to your clip yet).
This is a hard no for me, would be lost in a minute.
Did you not see the part where he lost his?
I have some old Yubikey 4 as well as old Feitian and Titan keys when I turned on advanced protection on Google. But seeing your demonstration of the YubiKey authenticator, I've now purchased five of the YubiKey 5 FIPS keys and am excited to try them out. Something interestingly different is that the secrets are now (since YubiKey 5) are stored directly on the key instead of on your application. This will make it easier to use secrets from different devices without trusting a cloud service like Authy to keep the private keys on their servers.
I would love to be able to import my authy records into a yubi account.
Youd basically just go into your accounts and disable your authy 2 factor authentication, then set them up again but on the Yubi account
You should remove the safe from your master bedroom closet and put it somewhere else, especially since you announced it on RUclips. Thieves know that is the number one place to find a safe and they can get in and out with it in 5 minutes. They get more nervous by the minute as they are searching the house though so if you choose a less obvious place they will more likely give up and run away.
Could be a very sly misdirection
Great video, but I'm not convinced it's better for personal use, you really can't beat something like 1password's cmd+/ (mac) or ctrl+/ (windows) key combo which fills your username, password, and when using OTP, the 2FA code when prompted. One and done. Also integrates into Safari and Chrome for iOS or Android. Truly a one-stop password app. Not to mention, it's stored in an encrypted vault, so it's shared between ALL your devices. Lastly, no limit on the number of sites you can use 2FA on. Yubikey seems good for large-scale 2FA implementations, but not for personal use... IMO
I think a middleground is perfect. Use yubikey for 1password and let 1password handle all other 2fa. I just googled and think it should work. You'd have the best of both worlds imo.
I think Chris got this wrong in his video. I'm not an expert on this, but I spent some time researching this because I wanted to know the technical details. If you're looking to replace authenticator apps that generate TOTP codes, a Yubikey or similar device can actually be used for an unlimited number of services. The 25 slot limit is for "Resident Keys" which are used for entirely password-less authentication schemes.
You totally can use the QR codes to setup multiple keys, the same way you used the secret to set them up manually.
1. Open website with QR code
2. Insert key A and scan the QR code, but do *NOT* enter the generated code on the website to complete the setup at this stage
3. Remove key A from the computer/phone
4. Insert key B and scan the QR code
5. Use either key to generate a code, enter that on the website to confirm setup & finish the websites setup steps
Agreed, this is how I did it. Note other people retain (in a secure place) the QR Code or manual secret in perpetuity for the convenience of later registration of "key C" in the future.
Thank you, this took me over the top, I ordered Yubikeys (from your link, of course) for the family. One question remains. What happens with the lost backup Yubikey? Do you have to reset all the logins?
Add a password to it. So if someone steals it, they'd have to know both the yubikey password and the account password.
1) In regard to ruclips.net/video/ybn9J4QCqK4/видео.html , there is no limit for the number of "U2F/FIDO1" services your yubikey can be connected with. The 25 slots is in regards to FIDO2/webauthn when using "key attestation". As far as I know, this is pretty much limited to password-less services, like Microsoft.
2) TOTP can be phished. If you accidentally log into a fake site and enter in your user+pass+TOTP code, the attacker can log in. You can't do that with U2F/webauthn. Since Google has switched to forcing their 100,000+ employees to use U2F, they have no had a single successful phishing attack.
3) TOTP requires the service to use proper rate limiting. As anyone can clearly see, nearly every site only uses 6 digit TOTP codes. That's only 1 million combinations for any given 30 second window. There have been attacks on services where the attacker just brute forced the TOTP code by trying every code within a 30 second window and was able to bypass TOTP in a matter of seconds. I assume most big players properly implement login rate limiting, but I'm too afraid to test because I don't want to get blocked. And good luck finding any information about such things for a given service.
4) Yubikey/U2F actually uses the same kind of tech as HTTPS. Except instead of your browser validating the HTTPS certificate really is for youtube.com, it's the service validating that the certificate really is for your yubikey.
5) There are cheaper alternatives to yubikey, but they have lesser security ratings if that matters to you. Yubico has designed their devices to be tamper evident and nearly impossible to hack if someone gained access to it. Either way, a U2F security key is much stronger than TOTP.
I was stumbling over the 25 slot limit myself while researching this. A lot of people seem to get this wrong (I did, too). Imo this is not properly explained on the Yubico website and also in technical talks I've seen from the likes of Black Hat. It's a nice example of the Dunning-Kruger effect: First I was impressed that it can work with an unlimited number of services. Then I read about that 25 slot limit, which actually refers to Resident Keys, and thought about how 2FA for an unlimited number of services could even be possible if the security key needs to store a unique secret for each service. Now I know that the service actually stores the private key in an encrypted form and passes it to the security key after password authentication (at least I think that's how it works).
It would be nice to see them integrate biometric authentication into it (an advantage of the smartphone) would also be nice if soft token MFAs got more into MFA push notifications for wearable devices. (Giving you the same one touch MFA experience as the ubikey).
YubiKey Bio is coming soon. Has a built in fingerprint reader.
Or you could just use Secret Double Octopus and get rid of your password all together.
One method for using TOTP as a backup is copying the secrets used aside from the QR code into a text file and keeping that on a secure flash drive. If your primary authentication method is compromised you can use the secrets to temporarily set up an authenticator app to regain access.
What about push notification to auth app? I can accept a prompt in about 2 seconds by accepting it on my watch. Just saying...
Convenience VS security
I have a Yubikey for work and I can't imagine doing my job without it at this point--I probably average 50 MFAs every day... Back when I was still driving into the office most days it was super painful if I forgot my key at home and had to use my Duo app. Still haven't made the switch for my personal stuff though.... hmmmm....
Hmm... Doesn't leaving the key plugged into your PC with the app running kind of defeat the object? Not unlike leaving your password on a post-it note under your keyboard really :-0
That’s why I prefer to use a password manager and have the yubikey work with the master password to access the manager.
Doesn't the yubikey (at least some models) still require biometric authentication before it works even if plugged in?
It would still need to be tapped by your fingers to activate… but yes, this has crossed my mind as well. For that I personally would steer clear of the “leave-in” ones… though i think the concerns are irrational for most security threats.
@@warcorer نَيس
In fact no, and thats why things like the trusted platform module and ssh keys exist, its just a second factor so if somebody wanted to hack your account they need your password too, or the other way around if they have your password they would need to hack the pc too to get the login done, but the yubikey requires button confirmation before login so thats fixed too
So what about the best practices for:
* when you LOSE a Ubikey? Rvocation recommendations?
* Work vs Personal Yubikey
* SSH keys
* PGP/GPG Crypto keys ?
* Large crypto keys (>4096bit)?
Gotta love RUclips recommendation:
Up next:
Breaking FIDO: Are Exploits in There?
From Black Hat
In all honesty I'm still slightly skeptical.
I personally still only use passwords, and don't login on computers that I don't own/control.
if I'm ever out and going and need to login to my bank or something like that I just use no-machine to connect back to my server at home and login thought that.
I'm still not sure how trustworthy a for profit authentication company can be, when you have major player like google joining on the standards.
I don't think there's a major security issue, I just don't think it's mature enough, on one side Google is fucked up, on the other Google (and other major players) have too much to lose if they start loosing reputation, so I don't think they would mess with authentication, but who's to say Yubikey can be trusted to not fuck up their protocol and chips being fundamentally flawed.
The issue I have with all those passwords and double, triple checking of identity is that at the end they tend to try and make it easier to actually authenticate, and people end up using a 4 digit pin set to 0000, 1111, 1234 because some company made their old password insecure by forcing them to change it, make it too complicated, and have a trillion different login portals.
Too much of a hassle.. Bitwarden extension for Chrome will copy the totp to the Clipboard automatically after you select the website you are currently trying to log into.
A lot less steps and I don't have to worry about loosing the yubi key or keep a back up in my safe!.
May be great for business to force the employee to carry this extra key, that will most likely get lost. As an added security step.
For regular folks like me, it's not worth it.
All your negative points of using software base authentication saying it takes to many steps to use your cellphone and then type to the screen and hope you don't make a typo are all nullify by using in my case bitwarden browser extension..
Great video. You just convinced me even more why it's not for me.
Great info I'll be watching this video a few times to digest it all. Lots to consider.
On the subject of having more than 1 Yubikey configured per site with the Yubico Authenticator, what I do is go through the process of letting the Yubico Authenticator recognise the on-screen QR code, for each Yubikey, but only confirming the authentication code with the site after the last Yubikey is configured. Works fine.
I prefer this method, because the manual method sometimes does not work, because the algorithms used to generate the authentication codes, are not always the same for each site (there are multiple standard methods) and I am yet to find any site which actually states which method they're using. Scanning the QR code gets around this problem, as it seems that the method used is encoded within the QR code.
Just ordered a Yubikey looking forward to the setup and security with it!
Thanks for the incredibly useful video! You demystified a lot of information in a clear way!
Bro, your pjtra affiliate link didn't work for me. You might want to check it. Great video, I'm a believer now! Thanks.
Question: If you're using a Yubikey to unlock your android then you have to get it out and stick it into the USB-C slot each time the android times-out on its own, which commonly happens when the phone is set down for any number of reasons, or when the user only needs to look something up quickly, then turns it off after doing so. The usual scenario is the user swiping the screen, then tapping in the pin, then going in for whatever reason. So with the security key enabled, the user has to tap in the pin, then get the key out and stick it in. This scenario can occur several times an hour, certainly a dozen or so per day....I use a clamshell key case with a zipper that I need two hands for, and if I carry the key in it I'd need to set things down, get out the case, unzip it, deploy the key, zip the case back up, pocket it and proceed.......way too tedious.....advice?
Thanks in advance,
Joe
You could use the NFC version which only requires you to tap the phone on the back, also there are often options to "trust a device" such that you do not have to use your second factor either indefinitely or for a defined period ("don't ask me for 1 month etc").
Bought a YubiKey thanks to this video, with your affiliate link. Cheers Chris!
Best Yubikey video ever. I learned about this from a podcast but they just flew over the topic so fast I couldn't tell what to do with the damn thing; only that it was 2fa. Now I have a reason to buy a few to use for more security. I don't like using my phone for 2fa because I don't really trust the phone's os.
Thanks Chris. Extremely informative video.
Hello, you mentioned PIN on your Yubikey a few times; when would one use the PIN for the Yubikey?
Is it FIDO or FIDO2, or both?
When should the PIN be set up, and where and how is the PIN setup done?
Hey Chris, are you sure about being able to backup TOTP codes to multiple yubikeys? I'm not able to reproduce that. I bought two keys (a 5 NFC and a 5 Nano) and set up 2FA on my Ubiquiti account, exactly as you do in the video. But when I add the code from the Ubiquiti page manually to each of my two keys, they generate different codes. You have to copy one of the generated codes back to the Ubiquiti page to complete the process, and only the key that generated that code will work for logging back in. I hope I'm missing something because I bought these two keys because you said I could have a backup... :)
Nevermind. Figured it out. I was using 2 different computers. If I use the same computer/authenticator app it works as expected.
Thank you for explaining. I Just ordered a yubikey 5 nano yesterday. Unfortunately I only found your video today or I would have bought through your link.
Logged into RUclips with my YubiKey 5nfc usb-c to watch this video. Love YubiKeys and have a few, been using them since 2017.
Thx Chris, Great Video, ... currently using it only for AAD auth, and I don't want to do without it anymore ...