Just ran across this video... All I can say is THANK YOU! You did an amazing job at laying out what Yubikeys not only are, but the demos were off the chain! Keep up the great work sir!
You don't have to use the manual method to configure the same TOTP on all your YubiKeys, just switch between them while on the QR Code screen and enter the TOTP from the last key you configure to finish the respective service TOTP setup.
For TOTP you can use the QR code to program multiple Yubikeys simply program one and do not put the code from the key into the site, then insert your second one and add it there two and once you've programed the last one then enter the code into the site. As an alternative for having multiple keys for TOTP you may copy the code or QR image and store it in an encrypted file using tools like GPG/OpenPGP but that is an other subject, sort of... it would have been nice to cover the PGP functions of the Yubikey as well, may be that can be a future video :).
If you do this I don't believe you'd be able to revoke them individually, i.e. in case you lost one. You'd just have to remove and re-add the one you still have.
@@ahensley on the contrary, in that case if you lose one key you can just get a new one and feed it the existing TOTP seed (the original QR code/secret code). This way you don't have to invalidate existing TOTPs and redo them all over again in both new and old keys. (If there is a chance that you lost a key to someone who also has access to your passwords then the correct thing to do is actually invalidate existing TOTPs and redo them, not reuse existing seeds)
Now, this is neat. I never know those accounts are stored in the keys. I started using Authy last year because it can back-up my keys. But that means my secret codes are now on the cloud. I need that feature so I won't lose them whenever I reset my phone, which I do every time when it gets a major system upgrade. I don't lose my stuff easily, so having a key is better than having an app. Thank you for such an informative video.
Regarding Tile, they work via bluetooth not GPS, so they will only give their location if they are near your phone (or near someone else's phone with the tile app). It works well for if you can't find your keys in your house or to check they're in a bag, much less useful for tracking a stolen bike.
I now have my two 5NFC YubiKeys "Smart-Card Enabled" on both of my Macs meaning that the only way I can log onto either computer is to physically insert the Key into a USB port & enter the PIN. Passwords no longer work. Pairing my keys to each computer was easy peasy. Getting the "Smart-Card Enabled" on my computers required the same effort Generals in WWII had in planning the D Day invasion. Apple articles are incomplete & I never did find or talk with a Senior Tech Advisor that had ever even dealt with the codes required that need to be entered in Terminal. Either Passwords or the YubiKey can be used to log into a computer if "Smart-Card Enabled" isn't enabled which seems to me to defeat the purpose of YubiKeys. Yes, I've just subscribed & rang the notification bell. Warm Regards from Reno, Nevada.
Great video! It's worth noting that for most accounts, even if you miss typing in the code before it expires, as long as you know it, you can still enter it for some time (usually between 5 and 15 minutes). Obviously, as soon as it expires you can't see it anymore, but if you still remember it, you can still enter it.
Best balance between skimming over details to make it short and going way over time to make an exhaustive yet way too long video. Key points are covered. Points out of scope are stated as such. Points that have bigger implications and do need consideration at some point, are also made clear: things that make you think. Ideal balancing a critical yet confusing topic. Great vid.
You mentioned “losing” one of your Yubikeys. What’s the best practice for moving forward if you believe it to be truly lost or stolen? That would make a good video.
It depends on the account you lost. He briefly mentioned backup codes, I've seen that several times now that you get backup codes when you set up 2FA. Save those codes, and do not lose them. If you do, there may be no way back. I lost my Steam Authenticator, and had to contact support to get it straightened out. 2FA kind of worries me for that reason. Same problem with one time use texts, if you lose your number or your phone.
Get two yubikeys and lock one of them up in a safe place, many sites will let you register multiple MFA devices. So if you lose one you can log in with the other key, delete the lost one and register the replacement. On sites that do not allow that they will have some sort of backup code or method. Put that info in a safe place.
Simply buy ledger Nano s or Trezor T which only unlock after entering pin on the device. You only need to keep a 24 or 12 words backup if you lose your device, just buy another. They both offer Fido 2.
I'd love an answer to that too. How do you invalidate a Yubikey if it is lost or stolen, to stop it from being used maliciously, or is the only way to manually remove it from all your accounts? Is there no way to say "I no longer have this key, remove all the accounts from it"?
@@Anaerin Exactly - seems like you'd have to keep a list of everywhere it was registered and then go chasing them down manually. I know I won't do that (keep an up to date list)
been using a yubikey for years have a few of them. it's important to note if you set everything and then loss the key your going to have a problem. So its best to have two 1 you use and one you keep in a safe place with the same sites configured on it.
I may be overly concerned about hackers, but personally I would not go with anything that is wireless when security is concerned. Wireless just provides one extra weak link in the chain. When using radio technology, i.e.: "NFC" I do suggest making yourself aware of the exact radius of that particular radio transmission.
Chris, I love your videos and especially this one, I saw it maybe more than 10 times....and if you see the rest of the comments, I purchased two using your links. But l figured that yubikeys are NOT faster than any Authenticator app and let me tell you and prove you why: I spend a whole evening trying to setup my 2 yubikeys, a 5Ci that I will use as a backup (got the idea from you) and a 5C Nano for my laptop. Later on, I decide to go to bed as I had to wake up early next day. So while I’m on my bed and using my phone trying to fell asleep, I decide to check my unify network, by using the “Unifi Network” application but, it asked my for a 2 step authentication. Unifi was one of the first setups I did with Yubikey since I saw that also on your video. So the fact that I had to get up, go to the living room that I had my laptop and next to it my 5Ci yubikey, so I will put it on my phone, in order to login to Unifi Network app, make me realize that yubikeys are NOT faster than my Authy app which was still installed on my phone but without my Unifi auth, since I removed it once I install the auth on my yubikey. I never made it to my living room since it wasn’t so important to go, but definitely made me question my self why I should move from Authy app, to a yubikey. More secure? Probably....but I feel like you want a house without glass windows just for the ONE chance that burglars brake the windows and get in your house. Nobody is building a house without glass windows, right? Although the possibility is always there, that burglars can get in. I hope you understand my point! I will try to use my yubikeys since I bought them, but I don’t know how convenient they are to be honest.
I was constantly thinking "something in the background looks familiar, but I can't pinpoint it... Then my eye fell on the frame hanging next to your youtube reward button thing, and it clicked :D
@fuck google It's a wiring diagram for Ethernet cables www.google.com/search?q=ethernet+wiring+diagram&sxsrf=ALeKk00UdIyMZp6J_v1JjfzmBKeHK0SxRQ:1606463841336&tbm=isch&source=iu&ictx=1&fir=d3PlvGVMrC5arM%252CV-i5CBR7Nb_OJM%252C_&vet=1&usg=AI4_-kSGgTtbv7cz3tvqafq7529zknD0IA&sa=X&ved=2ahUKEwj3vO2UoKLtAhWNmKQKHeGNA50Q9QF6BAgCEFU&biw=1536&bih=722#imgrc=d3PlvGVMrC5arM
I love using my Yubikeys and now they've brought out a model with a fingerprint reader, so... *TRIPLE* Factor for the win! Something you know, something you have, something you are!
Thanks for your video. It was very informative. PS. Steam game plataform uses a TOTP, but only in its own application. And let's not forgget banks, but they're thier own class.
Thank you so much, this vid is amazing. You answered every question I had about the different application types. Simply brilliant! I am so thankful for you and you sharing your time.
Meh. The microsoft authenticator is so much quicker. You login to the website, and a notification pops up on your phone, just click it. Face recognition logs you into your phone, and then depending on the method, you either click the "Yes, authorize this request", or you click the 1 out of 4 buttons that corresponds to the code the website is displaying and done. No copy pasting/typing codes, or selecting an answer out of likely a couple hundred choices. And no carrying around another fob (or multiple fobs).
Probably that it's faster than using authenticator apps on your smartphone. Also that he showed him how to use it since he was unaware of how they worked
1) In regard to ruclips.net/video/ybn9J4QCqK4/видео.html , there is no limit for the number of "U2F/FIDO1" services your yubikey can be connected with. The 25 slots is in regards to FIDO2/webauthn when using "key attestation". As far as I know, this is pretty much limited to password-less services, like Microsoft. 2) TOTP can be phished. If you accidentally log into a fake site and enter in your user+pass+TOTP code, the attacker can log in. You can't do that with U2F/webauthn. Since Google has switched to forcing their 100,000+ employees to use U2F, they have no had a single successful phishing attack. 3) TOTP requires the service to use proper rate limiting. As anyone can clearly see, nearly every site only uses 6 digit TOTP codes. That's only 1 million combinations for any given 30 second window. There have been attacks on services where the attacker just brute forced the TOTP code by trying every code within a 30 second window and was able to bypass TOTP in a matter of seconds. I assume most big players properly implement login rate limiting, but I'm too afraid to test because I don't want to get blocked. And good luck finding any information about such things for a given service. 4) Yubikey/U2F actually uses the same kind of tech as HTTPS. Except instead of your browser validating the HTTPS certificate really is for youtube.com, it's the service validating that the certificate really is for your yubikey. 5) There are cheaper alternatives to yubikey, but they have lesser security ratings if that matters to you. Yubico has designed their devices to be tamper evident and nearly impossible to hack if someone gained access to it. Either way, a U2F security key is much stronger than TOTP.
I was stumbling over the 25 slot limit myself while researching this. A lot of people seem to get this wrong (I did, too). Imo this is not properly explained on the Yubico website and also in technical talks I've seen from the likes of Black Hat. It's a nice example of the Dunning-Kruger effect: First I was impressed that it can work with an unlimited number of services. Then I read about that 25 slot limit, which actually refers to Resident Keys, and thought about how 2FA for an unlimited number of services could even be possible if the security key needs to store a unique secret for each service. Now I know that the service actually stores the private key in an encrypted form and passes it to the security key after password authentication (at least I think that's how it works).
I really like how the Steam authenticator 2FA works. No need to unlock your phone, when it detects you are trying to log in, it gives a lock screen notification that gives you the code
Somewhat vulnerable, anyone who can access your phone now has access to your accounts. A Yubikey is a physical hardware token that is, by its nature, air-gapped that is, not connected to the internet. Further, if connected to a PC it can be limited by requiring physical touch and/or a PIN code.
BTW Tile will not locate your property by GPS, only Bluetooth, so it has to be within Bluetooth range to be located (pretty short range). You might get lucky and another Tile user may "find" it and share location with you.
You should remove the safe from your master bedroom closet and put it somewhere else, especially since you announced it on RUclips. Thieves know that is the number one place to find a safe and they can get in and out with it in 5 minutes. They get more nervous by the minute as they are searching the house though so if you choose a less obvious place they will more likely give up and run away.
Google Authenticator now lets you log in and migrate devices, I believe. Edit: it requires the old device, but you can scan a QR code from the old device using the new device to migrate to the new device.
If you're lucky the old device hasn't suffered a hardware failure,fire,water damage,theft etc I had a charging port go on my Android phone and only realized by the end of the day that the thing wouldn't take a charge and had to literally make haste to get another old spare phone setup and migrate via QR . If I didn't notice it earlier I woulda been hosed pretty badly as I've got Google 2FA on pretty much everything.
All MFA apps allow you to migrate your accounts. All you need to know is backup/recovery codes that you were provided with the first time you signed in to the MFA app.
You totally can use the QR codes to setup multiple keys, the same way you used the secret to set them up manually. 1. Open website with QR code 2. Insert key A and scan the QR code, but do *NOT* enter the generated code on the website to complete the setup at this stage 3. Remove key A from the computer/phone 4. Insert key B and scan the QR code 5. Use either key to generate a code, enter that on the website to confirm setup & finish the websites setup steps
Agreed, this is how I did it. Note other people retain (in a secure place) the QR Code or manual secret in perpetuity for the convenience of later registration of "key C" in the future.
I just use TOTP in 1Password, it gets filled in automatically along with the login so i don't even have to lookup the app/site, just need to have 1pass unlocked. This seems faster then yubikey, and works on all platforms. I understand that a HW key is more secure but i wouldn't call it faster or more convenient. Will probably end up getting it anyways to secure 1pass itself and some of the more critical logins:)
I do not recommend a second device over making sure you keep the security keys (which are the same as the QR codes) stored safely somewhere each time you set up 2FA. This is no different than saving the seed words for a cold storage wallet. A second device is a convenience but not protection.
I wish they had a screen for totp, with out having to plug in the device into a machine for those areas that we can’t install software nor plug usb into them
The Microsoft Authenticator is what I was using before I ordered my Yubukey, i'm currently waiting for it to arrive, but I'll be switching most of my accounts to the Yubikey when it arrives
I have some old Yubikey 4 as well as old Feitian and Titan keys when I turned on advanced protection on Google. But seeing your demonstration of the YubiKey authenticator, I've now purchased five of the YubiKey 5 FIPS keys and am excited to try them out. Something interestingly different is that the secrets are now (since YubiKey 5) are stored directly on the key instead of on your application. This will make it easier to use secrets from different devices without trusting a cloud service like Authy to keep the private keys on their servers.
Great video, thanks! I noticed that you are reading from a script, as your eyes are constantly moving from left to right. If you place the telepromter further away from your setup, it will become less noticable.
Great video, but I'm not convinced it's better for personal use, you really can't beat something like 1password's cmd+/ (mac) or ctrl+/ (windows) key combo which fills your username, password, and when using OTP, the 2FA code when prompted. One and done. Also integrates into Safari and Chrome for iOS or Android. Truly a one-stop password app. Not to mention, it's stored in an encrypted vault, so it's shared between ALL your devices. Lastly, no limit on the number of sites you can use 2FA on. Yubikey seems good for large-scale 2FA implementations, but not for personal use... IMO
I think a middleground is perfect. Use yubikey for 1password and let 1password handle all other 2fa. I just googled and think it should work. You'd have the best of both worlds imo.
I think Chris got this wrong in his video. I'm not an expert on this, but I spent some time researching this because I wanted to know the technical details. If you're looking to replace authenticator apps that generate TOTP codes, a Yubikey or similar device can actually be used for an unlimited number of services. The 25 slot limit is for "Resident Keys" which are used for entirely password-less authentication schemes.
Hmm... Doesn't leaving the key plugged into your PC with the app running kind of defeat the object? Not unlike leaving your password on a post-it note under your keyboard really :-0
It would still need to be tapped by your fingers to activate… but yes, this has crossed my mind as well. For that I personally would steer clear of the “leave-in” ones… though i think the concerns are irrational for most security threats.
In fact no, and thats why things like the trusted platform module and ssh keys exist, its just a second factor so if somebody wanted to hack your account they need your password too, or the other way around if they have your password they would need to hack the pc too to get the login done, but the yubikey requires button confirmation before login so thats fixed too
Thank you, this took me over the top, I ordered Yubikeys (from your link, of course) for the family. One question remains. What happens with the lost backup Yubikey? Do you have to reset all the logins?
This a great video I really enjoyed it and it was very informative. I got one of these that was left over from a project at work. To pilot for a new customers 2FA implementation, seems very kool. I'm going to try and use the PIV deployment method with local active directory and a CA to use them as a smart card.
Thank you for explaining. I Just ordered a yubikey 5 nano yesterday. Unfortunately I only found your video today or I would have bought through your link.
It would be nice to see them integrate biometric authentication into it (an advantage of the smartphone) would also be nice if soft token MFAs got more into MFA push notifications for wearable devices. (Giving you the same one touch MFA experience as the ubikey).
I think keeping one key in a safe is a waste. I have two keys and also have one on my keyring/chain but the other one is permanently in my home computer and that gives me flexibility. There's no need to store a key in a safe - just make sure you've got a backup of the 'manual' codes that you used to add the OTP account to both keys. If you want to be 'as secure" then you could always keep all these codes in a text file on a USB stick and keep that in the safe. You can then always use these to recreate them on a fresh key.
Had one laying on my desk, after some testing some months ago. Did a second round after your video.... Now I am going to purchase a new keyboard and a second key.
I understand the usefulness of a hardware authenticator key, my only issue is that anybody can use it if it gets stolen, and even if I have strong passwords on all my accounts I care about, it would make me very anxious to think about the possibility that someone may have figured out my password and use my Yubikey that was stolen. Sorry, I’m still gonna stick with software authentication, where it’s protected behind a strong iPhone & iPad passcode. I personally use OTP Auth for my authenticator, and I would recommend it as a free alternative to Google Authenticator, and is way more flexible. You can encrypt your keys behind a password that you can use Touch ID or Face ID to unlock, and lets you create encrypted backups, those of which you can’t do on Google Authenticator. And you don’t have to worry too much about anything spooky going on if you use Google’s own authenticator app, because you won’t be using Google’s spyware. That’s just my two cents, though.
As always, thank you for your in-depth videos! I have learned so much. One way to explain 2FA is that it is a subset of the term Strong Authentication. Strong auth works on the triad of, something you are, something you have, and something you know. Any two of those used together is strong auth, a.k.a. 2FA.
Thank you for your post. Can you explain to me the triad of “some thing you are“? I’m not sure what you mean by that. I understand the other two elements, something you having something you know.
I actually DO copy and paste to and from my Android phone to my Linux computer. I use KDE as my desktop manager. I prefer KDE over Gnome or any other desktop manager, but it has the added bonus of having KDE Connect. When I am home I can send commands to my phone from my computer, send commands to my computer from the phone, Have videos on my computer pause when someone calls my phone, and have a shared cut and paste between my phone and computer. All I had to do is add KDE Connect to me Android, pair my phone and computer via my WiFi network. My laptop, desktop, and music server have all been paired to my phone, all I do is tell KDE which computer I wish to be connected to and the rest is automatic. In fact, my phone I can also tell my computer on allow access when my phone is within proximity to my WiFi though other software. So my computer 'locks' when I am not home, and unlocks when i am.
Coincidentally, I came up with the exact same method of using a formula to generate unique passwords for different services. What really stunned me is the formula you invented for yourself is almost identical to mine!! Thus, I’m reminded that humans are surprisingly predictable, even when we think we’re being super sneaky. 🤔. Time to get a Yubikey!
I use my Ubikeys on a regular basis with PC and Android devices and it is easy to use. Setup is not a problem as well, but I wouldn't ask my wife to do it. Also, as a KeepassX user I had to experiment with the original Keepass and KeespassXC to see what also worked with Keepass2Android on my tablet and phone. Only databases created with KeespassXC were working on my phone in combination with the Yubikey over NFC
One method for using TOTP as a backup is copying the secrets used aside from the QR code into a text file and keeping that on a secure flash drive. If your primary authentication method is compromised you can use the secrets to temporarily set up an authenticator app to regain access.
I have 3 Yubikeys and started to use them since 2017. But I find using authenticator apps (Authy in my case) is more secure. The apps are protected by its own PIN AND your phone PIN, while the Yubikeys are totally naked meaning that it's fully functional in the hands of any ones (or any thieves).
You can set a PIN for U2F and password for TOTP on the Yubikey. Although some U2F services don't require the pin (Google doesn't, Microsoft does, Yahoo does....) Authy has your account tied to a cell phone that now becomes an attack surface for hackers. Google authenticator has a unique feature of outputting a combined QR code for your accounts. You can put the QR code into an encrypted file, upload to a secure cloud provider. Then you would always be able to recreate your TOTP codes. Auth apps are inherently vulnerable to phishing attacks, which you probably know. You could also use a bio key tied to fingerprint & secured with a PIN, although Yubikey bio keys are easily subject to lockout after 3 failed attempts.
As noted by CyberMedics, you can configure the Yubikeys to require a passcode to function. Further, a hardware key cannot be accessed remotely by a hacker where you have a physical touch required to activate the Yubikey. So your threat model has to countenance that you will have your possessions stolen for a Yubikey to be less secure than Authy. Nota bene, I use Authy wherever I can't use my Yubikey, great app.
Any one considering a hardware key might want to taking a look at OnlyKey. They’re a much more robust security “key” solution. Device itself is passcode secured. So even if some where to steal it they couldn’t do anything with it. You can store url / user name / password and Google TOTP into a single slot, of which you have up to 24, the complete login above can be processed with the touch of one button. You can store a PGP key on the device. You can setup a virtual Yubikey on the device. Device has two banks of 12 slots and also has an option for a self-destruct, ie is wipe all info on the device with the entry of a code. All of this does come with a learning curve but most anyone listen to videos about networks, PBX and security shouldn’t have too much difficulty figuring it out.
Just ran across this video... All I can say is THANK YOU! You did an amazing job at laying out what Yubikeys not only are, but the demos were off the chain! Keep up the great work sir!
For your time codes to automatically put "chapters" on your timeline, you have to put a 0:00 time code in the list. Great video!
yeah at 25:30 I was like, 'this is really good, but I gotta go'
Very useful. I too had Yubikeys on hand waiting to understand how to use them. Multiple keys per account info helped alot.
I've always found Ubikey's own documentation to be fairly obtuse. Thanks for the clearest explanation yet.
You don't have to use the manual method to configure the same TOTP on all your YubiKeys, just switch between them while on the QR Code screen and enter the TOTP from the last key you configure to finish the respective service TOTP setup.
For TOTP you can use the QR code to program multiple Yubikeys simply program one and do not put the code from the key into the site, then insert your second one and add it there two and once you've programed the last one then enter the code into the site. As an alternative for having multiple keys for TOTP you may copy the code or QR image and store it in an encrypted file using tools like GPG/OpenPGP but that is an other subject, sort of... it would have been nice to cover the PGP functions of the Yubikey as well, may be that can be a future video :).
If you do this I don't believe you'd be able to revoke them individually, i.e. in case you lost one. You'd just have to remove and re-add the one you still have.
@@ahensley on the contrary, in that case if you lose one key you can just get a new one and feed it the existing TOTP seed (the original QR code/secret code). This way you don't have to invalidate existing TOTPs and redo them all over again in both new and old keys. (If there is a chance that you lost a key to someone who also has access to your passwords then the correct thing to do is actually invalidate existing TOTPs and redo them, not reuse existing seeds)
Thanks, Chris! Using them already for about 3 years but managed to find some new things watching your video!
Great to hear!
Now, this is neat. I never know those accounts are stored in the keys. I started using Authy last year because it can back-up my keys. But that means my secret codes are now on the cloud. I need that feature so I won't lose them whenever I reset my phone, which I do every time when it gets a major system upgrade. I don't lose my stuff easily, so having a key is better than having an app. Thank you for such an informative video.
The acting for the google Authenticator is top notch lol. Great video!
Regarding Tile, they work via bluetooth not GPS, so they will only give their location if they are near your phone (or near someone else's phone with the tile app). It works well for if you can't find your keys in your house or to check they're in a bag, much less useful for tracking a stolen bike.
Thank you for your thorough summary of Yubikeys and set up. Bravo!!
I now have my two 5NFC YubiKeys "Smart-Card Enabled" on both of my Macs meaning that the only way I can log onto either computer is to physically insert the Key into a USB port & enter the PIN. Passwords no longer work.
Pairing my keys to each computer was easy peasy. Getting the "Smart-Card Enabled" on my computers required the same effort Generals in WWII had in planning the D Day invasion. Apple articles are incomplete & I never did find or talk with a Senior Tech Advisor that had ever even dealt with the codes required that need to be entered in Terminal.
Either Passwords or the YubiKey can be used to log into a computer if "Smart-Card Enabled" isn't enabled which seems to me to defeat the purpose of YubiKeys.
Yes, I've just subscribed & rang the notification bell.
Warm Regards from Reno, Nevada.
Great video! It's worth noting that for most accounts, even if you miss typing in the code before it expires, as long as you know it, you can still enter it for some time (usually between 5 and 15 minutes). Obviously, as soon as it expires you can't see it anymore, but if you still remember it, you can still enter it.
that's a hazard if u think about it
I like the grumpy man typing google authenticator code.
I use ubikey. I like it.
Second Yubikey just got here, third is on the way, love them.
Excellent!
I just got the 5 NFC and answered EVERY question I had (spent hours trying to connect the dots)...
Thanks a bunch!
Best balance between skimming over details to make it short and going way over time to make an exhaustive yet way too long video. Key points are covered. Points out of scope are stated as such. Points that have bigger implications and do need consideration at some point, are also made clear: things that make you think. Ideal balancing a critical yet confusing topic. Great vid.
If you kept it going till now you have all the respect that I can give
Great video! I use the 5ci as primary and 5 NFC as secondary. I also have my PGP keys on my 5ci.
Thank you for that great overview and answering all of my questions before i could even ask them.
You mentioned “losing” one of your Yubikeys. What’s the best practice for moving forward if you believe it to be truly lost or stolen? That would make a good video.
It depends on the account you lost. He briefly mentioned backup codes, I've seen that several times now that you get backup codes when you set up 2FA. Save those codes, and do not lose them. If you do, there may be no way back. I lost my Steam Authenticator, and had to contact support to get it straightened out. 2FA kind of worries me for that reason. Same problem with one time use texts, if you lose your number or your phone.
Get two yubikeys and lock one of them up in a safe place, many sites will let you register multiple MFA devices. So if you lose one you can log in with the other key, delete the lost one and register the replacement. On sites that do not allow that they will have some sort of backup code or method. Put that info in a safe place.
Simply buy ledger Nano s or Trezor T which only unlock after entering pin on the device. You only need to keep a 24 or 12 words backup if you lose your device, just buy another. They both offer Fido 2.
I'd love an answer to that too. How do you invalidate a Yubikey if it is lost or stolen, to stop it from being used maliciously, or is the only way to manually remove it from all your accounts? Is there no way to say "I no longer have this key, remove all the accounts from it"?
@@Anaerin Exactly - seems like you'd have to keep a list of everywhere it was registered and then go chasing them down manually. I know I won't do that (keep an up to date list)
Awesome, just the video I was looking for. Bonus that all the abbreviations are explained as well!
@16:46 - The collectable value on that special edition key dropped 99% the second you opened the original packaging. ;)
been using a yubikey for years have a few of them. it's important to note if you set everything and then loss the key your going to have a problem. So its best to have two 1 you use and one you keep in a safe place with the same sites configured on it.
Dangit Chris! I’ve been thinking about doing this for a while. 5C NFC is ordered.
I may be overly concerned about hackers, but personally I would not go with anything that is wireless when security is concerned. Wireless just provides one extra weak link in the chain. When using radio technology, i.e.: "NFC" I do suggest making yourself aware of the exact radius of that particular radio transmission.
@@Inertia888 Just the info I was looking for, thanks m8!
@@Inertia888 got credit/debit card?
@@johnzoidberg9764 yes, I do. and I change my numbers every few months just in case it has been compromised.
Chris, I love your videos and especially this one, I saw it maybe more than 10 times....and if you see the rest of the comments, I purchased two using your links.
But l figured that yubikeys are NOT faster than any Authenticator app and let me tell you and prove you why:
I spend a whole evening trying to setup my 2 yubikeys, a 5Ci that I will use as a backup (got the idea from you) and a 5C Nano for my laptop. Later on, I decide to go to bed as I had to wake up early next day. So while I’m on my bed and using my phone trying to fell asleep, I decide to check my unify network, by using the “Unifi Network” application but, it asked my for a 2 step authentication. Unifi was one of the first setups I did with Yubikey since I saw that also on your video.
So the fact that I had to get up, go to the living room that I had my laptop and next to it my 5Ci yubikey, so I will put it on my phone, in order to login to Unifi Network app, make me realize that yubikeys are NOT faster than my Authy app which was still installed on my phone but without my Unifi auth, since I removed it once I install the auth on my yubikey.
I never made it to my living room since it wasn’t so important to go, but definitely made me question my self why I should move from Authy app, to a yubikey.
More secure? Probably....but I feel like you want a house without glass windows just for the ONE chance that burglars brake the windows and get in your house.
Nobody is building a house without glass windows, right? Although the possibility is always there, that burglars can get in.
I hope you understand my point!
I will try to use my yubikeys since I bought them, but I don’t know how convenient they are to be honest.
I was constantly thinking "something in the background looks familiar, but I can't pinpoint it...
Then my eye fell on the frame hanging next to your youtube reward button thing, and it clicked :D
@fuck google It's a wiring diagram for Ethernet cables www.google.com/search?q=ethernet+wiring+diagram&sxsrf=ALeKk00UdIyMZp6J_v1JjfzmBKeHK0SxRQ:1606463841336&tbm=isch&source=iu&ictx=1&fir=d3PlvGVMrC5arM%252CV-i5CBR7Nb_OJM%252C_&vet=1&usg=AI4_-kSGgTtbv7cz3tvqafq7529zknD0IA&sa=X&ved=2ahUKEwj3vO2UoKLtAhWNmKQKHeGNA50Q9QF6BAgCEFU&biw=1536&bih=722#imgrc=d3PlvGVMrC5arM
The only attack that works on my yubi keys
Korone-chan: "Yubi Yubi!"
Me: "Yes Korone... here... have my yubis"
Great video, thank you for giving this profound overview.
Glad you enjoyed it!
Pristine clear and relevent tube. Thanks so much for such a nice review of the Yubikey products !
Thanks for the video. Frankly, John Q Public has no chance. You answered my question about losing the key and I love the tile idea.
I love using my Yubikeys and now they've brought out a model with a fingerprint reader, so... *TRIPLE* Factor for the win!
Something you know, something you have, something you are!
Thanks for your video. It was very informative.
PS. Steam game plataform uses a TOTP, but only in its own application. And let's not forgget banks, but they're thier own class.
Thank you so much, this vid is amazing. You answered every question I had about the different application types. Simply brilliant! I am so thankful for you and you sharing your time.
Meh. The microsoft authenticator is so much quicker. You login to the website, and a notification pops up on your phone, just click it. Face recognition logs you into your phone, and then depending on the method, you either click the "Yes, authorize this request", or you click the 1 out of 4 buttons that corresponds to the code the website is displaying and done. No copy pasting/typing codes, or selecting an answer out of likely a couple hundred choices. And no carrying around another fob (or multiple fobs).
Nice! Yes more like this. Timely too, I cleaned out a desk drawer and found some unused Yubikeys, they are getting put into place pronto.
Your reenactment of using yukikeys was amazing and had me loling
When you talked with your yubikey engineer friend what did he say that made you use it.
Probably that it's faster than using authenticator apps on your smartphone. Also that he showed him how to use it since he was unaware of how they worked
1) In regard to ruclips.net/video/ybn9J4QCqK4/видео.html , there is no limit for the number of "U2F/FIDO1" services your yubikey can be connected with. The 25 slots is in regards to FIDO2/webauthn when using "key attestation". As far as I know, this is pretty much limited to password-less services, like Microsoft.
2) TOTP can be phished. If you accidentally log into a fake site and enter in your user+pass+TOTP code, the attacker can log in. You can't do that with U2F/webauthn. Since Google has switched to forcing their 100,000+ employees to use U2F, they have no had a single successful phishing attack.
3) TOTP requires the service to use proper rate limiting. As anyone can clearly see, nearly every site only uses 6 digit TOTP codes. That's only 1 million combinations for any given 30 second window. There have been attacks on services where the attacker just brute forced the TOTP code by trying every code within a 30 second window and was able to bypass TOTP in a matter of seconds. I assume most big players properly implement login rate limiting, but I'm too afraid to test because I don't want to get blocked. And good luck finding any information about such things for a given service.
4) Yubikey/U2F actually uses the same kind of tech as HTTPS. Except instead of your browser validating the HTTPS certificate really is for youtube.com, it's the service validating that the certificate really is for your yubikey.
5) There are cheaper alternatives to yubikey, but they have lesser security ratings if that matters to you. Yubico has designed their devices to be tamper evident and nearly impossible to hack if someone gained access to it. Either way, a U2F security key is much stronger than TOTP.
I was stumbling over the 25 slot limit myself while researching this. A lot of people seem to get this wrong (I did, too). Imo this is not properly explained on the Yubico website and also in technical talks I've seen from the likes of Black Hat. It's a nice example of the Dunning-Kruger effect: First I was impressed that it can work with an unlimited number of services. Then I read about that 25 slot limit, which actually refers to Resident Keys, and thought about how 2FA for an unlimited number of services could even be possible if the security key needs to store a unique secret for each service. Now I know that the service actually stores the private key in an encrypted form and passes it to the security key after password authentication (at least I think that's how it works).
I really like how the Steam authenticator 2FA works. No need to unlock your phone, when it detects you are trying to log in, it gives a lock screen notification that gives you the code
Somewhat vulnerable, anyone who can access your phone now has access to your accounts. A Yubikey is a physical hardware token that is, by its nature, air-gapped that is, not connected to the internet. Further, if connected to a PC it can be limited by requiring physical touch and/or a PIN code.
Logged into RUclips with my YubiKey 5nfc usb-c to watch this video. Love YubiKeys and have a few, been using them since 2017.
Thanks for the incredibly useful video! You demystified a lot of information in a clear way!
BTW Tile will not locate your property by GPS, only Bluetooth, so it has to be within Bluetooth range to be located (pretty short range). You might get lucky and another Tile user may "find" it and share location with you.
This is a hard no for me, would be lost in a minute.
Did you not see the part where he lost his?
Great video! Been using these for quite sometime, make sure to get an extra as backup as mentioned!
You should remove the safe from your master bedroom closet and put it somewhere else, especially since you announced it on RUclips. Thieves know that is the number one place to find a safe and they can get in and out with it in 5 minutes. They get more nervous by the minute as they are searching the house though so if you choose a less obvious place they will more likely give up and run away.
Could be a very sly misdirection
Awesome in depth explanation. Thank you
Google Authenticator now lets you log in and migrate devices, I believe.
Edit: it requires the old device, but you can scan a QR code from the old device using the new device to migrate to the new device.
That's great news! Excellent update. Still...I would never go back because it can't do FIDO or other enhanced types of 2FA.
@@CrosstalkSolutions I couldn't agree more! Just wanted to point it out.
If you're lucky the old device hasn't suffered a hardware failure,fire,water damage,theft etc
I had a charging port go on my Android phone and only realized by the end of the day that the thing wouldn't take a charge and had to literally make haste to get another old spare phone setup and migrate via QR . If I didn't notice it earlier I woulda been hosed pretty badly as I've got Google 2FA on pretty much everything.
All MFA apps allow you to migrate your accounts. All you need to know is backup/recovery codes that you were provided with the first time you signed in to the MFA app.
@@OlegObukhov up until this year, Google Authenticator did not. You'd have to redo every account...
You totally can use the QR codes to setup multiple keys, the same way you used the secret to set them up manually.
1. Open website with QR code
2. Insert key A and scan the QR code, but do *NOT* enter the generated code on the website to complete the setup at this stage
3. Remove key A from the computer/phone
4. Insert key B and scan the QR code
5. Use either key to generate a code, enter that on the website to confirm setup & finish the websites setup steps
Agreed, this is how I did it. Note other people retain (in a secure place) the QR Code or manual secret in perpetuity for the convenience of later registration of "key C" in the future.
I would love to be able to import my authy records into a yubi account.
Youd basically just go into your accounts and disable your authy 2 factor authentication, then set them up again but on the Yubi account
There is a certain irony to putting a camouflaged skin on a key you're already having trouble finding...
Bought a YubiKey thanks to this video, with your affiliate link. Cheers Chris!
I just use TOTP in 1Password, it gets filled in automatically along with the login so i don't even have to lookup the app/site, just need to have 1pass unlocked. This seems faster then yubikey, and works on all platforms. I understand that a HW key is more secure but i wouldn't call it faster or more convenient. Will probably end up getting it anyways to secure 1pass itself and some of the more critical logins:)
I do not recommend a second device over making sure you keep the security keys (which are the same as the QR codes) stored safely somewhere each time you set up 2FA. This is no different than saving the seed words for a cold storage wallet. A second device is a convenience but not protection.
Thanks for your easy to follow explanations
Where can I get that shirt? Need!
Same, LINK!!!!
I trust you recognize its from the Chromium browser's unreachable-location minigame? :-)
probably not online...
TEEPUBLIC has several designs. I like this one www.teepublic.com/t-shirt/2053315-chrome-t-rex-dinosaur-rawr
make a stencil out of lego and ink stamp it on....
Excellent overview, thanks.
I wish they had a screen for totp, with out having to plug in the device into a machine for those areas that we can’t install software nor plug usb into them
I’ve used the NFC on some secure industrial machines
RSA hardware keys exist.
@@deusexaethera Are you saying you can use RSA keys with Yubikey? I have extra RSA keys and didn't think this was possible
The Microsoft Authenticator is what I was using before I ordered my Yubukey, i'm currently waiting for it to arrive, but I'll be switching most of my accounts to the Yubikey when it arrives
Thank you for the informative video. I was wondering if Google accepts Yubi Key for logging into Gmail, Google Account, etc.
Yes they do
I have some old Yubikey 4 as well as old Feitian and Titan keys when I turned on advanced protection on Google. But seeing your demonstration of the YubiKey authenticator, I've now purchased five of the YubiKey 5 FIPS keys and am excited to try them out. Something interestingly different is that the secrets are now (since YubiKey 5) are stored directly on the key instead of on your application. This will make it easier to use secrets from different devices without trusting a cloud service like Authy to keep the private keys on their servers.
Really good content, thanks. If the key is stolen how difficult would it be to retrieve stored data?Are the data encrypted on the key?
Great video, thanks! I noticed that you are reading from a script, as your eyes are constantly moving from left to right. If you place the telepromter further away from your setup, it will become less noticable.
Great video, but I'm not convinced it's better for personal use, you really can't beat something like 1password's cmd+/ (mac) or ctrl+/ (windows) key combo which fills your username, password, and when using OTP, the 2FA code when prompted. One and done. Also integrates into Safari and Chrome for iOS or Android. Truly a one-stop password app. Not to mention, it's stored in an encrypted vault, so it's shared between ALL your devices. Lastly, no limit on the number of sites you can use 2FA on. Yubikey seems good for large-scale 2FA implementations, but not for personal use... IMO
I think a middleground is perfect. Use yubikey for 1password and let 1password handle all other 2fa. I just googled and think it should work. You'd have the best of both worlds imo.
I think Chris got this wrong in his video. I'm not an expert on this, but I spent some time researching this because I wanted to know the technical details. If you're looking to replace authenticator apps that generate TOTP codes, a Yubikey or similar device can actually be used for an unlimited number of services. The 25 slot limit is for "Resident Keys" which are used for entirely password-less authentication schemes.
Thank you So much for ur ti and support
Hmm... Doesn't leaving the key plugged into your PC with the app running kind of defeat the object? Not unlike leaving your password on a post-it note under your keyboard really :-0
That’s why I prefer to use a password manager and have the yubikey work with the master password to access the manager.
Doesn't the yubikey (at least some models) still require biometric authentication before it works even if plugged in?
It would still need to be tapped by your fingers to activate… but yes, this has crossed my mind as well. For that I personally would steer clear of the “leave-in” ones… though i think the concerns are irrational for most security threats.
@@warcorer نَيس
In fact no, and thats why things like the trusted platform module and ssh keys exist, its just a second factor so if somebody wanted to hack your account they need your password too, or the other way around if they have your password they would need to hack the pc too to get the login done, but the yubikey requires button confirmation before login so thats fixed too
That plant on that printer is just wow! : - )
Thank you, this took me over the top, I ordered Yubikeys (from your link, of course) for the family. One question remains. What happens with the lost backup Yubikey? Do you have to reset all the logins?
Add a password to it. So if someone steals it, they'd have to know both the yubikey password and the account password.
This a great video I really enjoyed it and it was very informative. I got one of these that was left over from a project at work. To pilot for a new customers 2FA implementation, seems very kool. I'm going to try and use the PIV deployment method with local active directory and a CA to use them as a smart card.
im now a fan of yubi keys looking to get one or two Great Video
What about push notification to auth app? I can accept a prompt in about 2 seconds by accepting it on my watch. Just saying...
Convenience VS security
Thank you for explaining. I Just ordered a yubikey 5 nano yesterday. Unfortunately I only found your video today or I would have bought through your link.
It would be nice to see them integrate biometric authentication into it (an advantage of the smartphone) would also be nice if soft token MFAs got more into MFA push notifications for wearable devices. (Giving you the same one touch MFA experience as the ubikey).
YubiKey Bio is coming soon. Has a built in fingerprint reader.
Or you could just use Secret Double Octopus and get rid of your password all together.
Hi Chris thank for the wonderful explanation!
I think keeping one key in a safe is a waste. I have two keys and also have one on my keyring/chain but the other one is permanently in my home computer and that gives me flexibility. There's no need to store a key in a safe - just make sure you've got a backup of the 'manual' codes that you used to add the OTP account to both keys. If you want to be 'as secure" then you could always keep all these codes in a text file on a USB stick and keep that in the safe. You can then always use these to recreate them on a fresh key.
Had one laying on my desk, after some testing some months ago. Did a second round after your video.... Now I am going to purchase a new keyboard and a second key.
Thank you for making this informative video.
Thx Chris, Great Video, ... currently using it only for AAD auth, and I don't want to do without it anymore ...
I understand the usefulness of a hardware authenticator key, my only issue is that anybody can use it if it gets stolen, and even if I have strong passwords on all my accounts I care about, it would make me very anxious to think about the possibility that someone may have figured out my password and use my Yubikey that was stolen. Sorry, I’m still gonna stick with software authentication, where it’s protected behind a strong iPhone & iPad passcode.
I personally use OTP Auth for my authenticator, and I would recommend it as a free alternative to Google Authenticator, and is way more flexible. You can encrypt your keys behind a password that you can use Touch ID or Face ID to unlock, and lets you create encrypted backups, those of which you can’t do on Google Authenticator. And you don’t have to worry too much about anything spooky going on if you use Google’s own authenticator app, because you won’t be using Google’s spyware. That’s just my two cents, though.
Its second factor, thief needs to know where to use it, your email/login, first password and the pin. Its useless for thief or finder.
Hello, just started using Yubikey 5 Nano version. It's convenient to use it ☺️
Really excellent. Thank you so much
As always, thank you for your in-depth videos! I have learned so much. One way to explain 2FA is that it is a subset of the term Strong Authentication. Strong auth works on the triad of, something you are, something you have, and something you know. Any two of those used together is strong auth, a.k.a. 2FA.
Thank you for your post. Can you explain to me the triad of “some thing you are“? I’m not sure what you mean by that. I understand the other two elements, something you having something you know.
@@josephrogersmd Something you are is basically biometrics. Fingerprint, iris scan, hand geometry scan, etc...
Nice overview with enough detail that I expect to be up and running with little effort
Love the pot plant on the laser printer's scanner ADF 😂🤪👍
I actually DO copy and paste to and from my Android phone to my Linux computer. I use KDE as my desktop manager. I prefer KDE over Gnome or any other desktop manager, but it has the added bonus of having KDE Connect. When I am home I can send commands to my phone from my computer, send commands to my computer from the phone, Have videos on my computer pause when someone calls my phone, and have a shared cut and paste between my phone and computer. All I had to do is add KDE Connect to me Android, pair my phone and computer via my WiFi network. My laptop, desktop, and music server have all been paired to my phone, all I do is tell KDE which computer I wish to be connected to and the rest is automatic. In fact, my phone I can also tell my computer on allow access when my phone is within proximity to my WiFi though other software. So my computer 'locks' when I am not home, and unlocks when i am.
I know this video is a sale pitch, however it is really useful, so I have thumbs up this video....
Just ordered a Yubikey looking forward to the setup and security with it!
I loved the drink part... Nice 👌
Bro, your pjtra affiliate link didn't work for me. You might want to check it. Great video, I'm a believer now! Thanks.
So this is what Korone must be begging for in her streams! The doog wants our USB keys, not our actual fingers!
Coincidentally, I came up with the exact same method of using a formula to generate unique passwords for different services. What really stunned me is the formula you invented for yourself is almost identical to mine!! Thus, I’m reminded that humans are surprisingly predictable, even when we think we’re being super sneaky. 🤔. Time to get a Yubikey!
thanks for clearing up my setup issues with Yubi Keys (that it also supports TOTP). now I am wishing/wanting it has a password manager built in LOL
I use my Ubikeys on a regular basis with PC and Android devices and it is easy to use. Setup is not a problem as well, but I wouldn't ask my wife to do it. Also, as a KeepassX user I had to experiment with the original Keepass and KeespassXC to see what also worked with Keepass2Android on my tablet and phone. Only databases created with KeespassXC were working on my phone in combination with the Yubikey over NFC
To anybody using a mac with Google Authenticator on an iPhone, you can use Handoff to copy and paste between your iPhone, Mac, and iPad
One method for using TOTP as a backup is copying the secrets used aside from the QR code into a text file and keeping that on a secure flash drive. If your primary authentication method is compromised you can use the secrets to temporarily set up an authenticator app to regain access.
Vote up, nice video clip, thank you for sharing it :)
Very nicely explained. Thank you.
I googled yubikey on work computer 1-2 days ago, now Im watching this video, it just appeared
I have 3 Yubikeys and started to use them since 2017. But I find using authenticator apps (Authy in my case) is more secure. The apps are protected by its own PIN AND your phone PIN, while the Yubikeys are totally naked meaning that it's fully functional in the hands of any ones (or any thieves).
You can set a PIN for U2F and password for TOTP on the Yubikey. Although some U2F services don't require the pin (Google doesn't, Microsoft does, Yahoo does....) Authy has your account tied to a cell phone that now becomes an attack surface for hackers. Google authenticator has a unique feature of outputting a combined QR code for your accounts. You can put the QR code into an encrypted file, upload to a secure cloud provider. Then you would always be able to recreate your TOTP codes. Auth apps are inherently vulnerable to phishing attacks, which you probably know. You could also use a bio key tied to fingerprint & secured with a PIN, although Yubikey bio keys are easily subject to lockout after 3 failed attempts.
As noted by CyberMedics, you can configure the Yubikeys to require a passcode to function. Further, a hardware key cannot be accessed remotely by a hacker where you have a physical touch required to activate the Yubikey. So your threat model has to countenance that you will have your possessions stolen for a Yubikey to be less secure than Authy. Nota bene, I use Authy wherever I can't use my Yubikey, great app.
Any one considering a hardware key might want to taking a look at OnlyKey.
They’re a much more robust security “key” solution.
Device itself is passcode secured. So even if some where to steal it they couldn’t do anything with it.
You can store url / user name / password and Google TOTP into a single slot, of which you have up to 24, the complete login above can be processed with the touch of one button.
You can store a PGP key on the device. You can setup a virtual Yubikey on the device.
Device has two banks of 12 slots and also has an option for a self-destruct, ie is wipe all info on the device with the entry of a code.
All of this does come with a learning curve but most anyone listen to videos about networks, PBX and security shouldn’t have too much difficulty figuring it out.