Yubikey 5 - a Hardware 2FA - Is it Useful? - Review
Vložit
- čas přidán 1. 08. 2024
- Reviewing a Yubikey 5 Nano. I've had this device for over a month and I will show you the pluses and minuses of this device and this form factor in particular. Showing you how this can be used for 2 Factor Authentication as well as other uses for logging in.
Yubikey is a Hardware Authenticator for 2 Factor Authentication as well as having other options for supplying passwords. This replaces the common method of doing verification codes via text or email and intends to simplify 2FA.
In this video I talk about how I put it to use and if this (a) improves the login process and (b) increases my internet safety.
I'm the Internet Privacy Guy. I'm here to educate. You are losing your Internet privacy and Internet security every day if you don't fight for it. Your data is collected with endless permanent data mining. Learn about a TOR router, a VPN , antivirus, spyware, firewalls, IP address, wifi triangulation, data privacy regulation, backups and tech tools, and evading mass surveillance from NSA, CIA, FBI. Learn how to be anonymous on the Internet so you are not profiled. Learn to speak freely with pseudo anonymity. Learn more about the dangers of the inernet and the dangers of social media, dangers of email.
Contact Rob on the Brax.Me App (@robbraxman) for encrypted conversations.
-------------------------------------------------------
Amazon Links
Yubikey 5 NFC
amzn.to/2uMEwg2
Yubikey 5 Nano (USB-A)
amzn.to/2HYoUyB
Yubikey 5C Nano (USB-C)
amzn.to/2HXdRFI
-------------------------------------------------------
bytzVPN.com Premium VPN with Cloud-Based TOR Routing
whatthezuck Cybersecurity Reference
brax.me Privacy Focused Social Media - Encrypted Communications - Věda a technologie
Within seconds of posting this video, a shill already put a thumbs down. LOL. If you're a Yubikey competitor, why don't you send me a review copy of your product instead? Zucked up!
Watch my video on creating 2FA without a phone number. That's my alternate factor. Unfortunately registering multiple hardware 2FA's is not universally allowed (example is Twitter). As the this video shows, if you have one form factor (USB-A), you will not be able to reuse the same hardware on a USB-C. If you go to the end of the video, my wishlist was to be able to sync multiple Yubikeys.
So you're saying that we cannot use a Yubikey 5 NFC with Android mobile using a type-A to type-C converter ??
@@varun_chunduru No you cannot use converters of USB-A to USB-C. Which makes sense because if you can put one of these on a hub, then in theory you can intercept the traffic.
@@robbraxmantech Have you tested it ? Using Yubikey (type - A) using converter to a Android mobile ??
@@varun_chunduru Yes of course I tested it.
This whip smart, honest, humble man is on our side and is working to protect us. Valuable gift to us.
Thank you. you cleared up a lot of information in an easy to understand manner. I look forward to seeing more of your videos. I've subscribed. R. Varela
You may want to update this video. I’m researching these now and listening to your video it is outdated. 1 - you can use them with Windows now, 2 - you can use a USB-C to USB-3 converter to switch between devices. They are about the same size as the nano, 3 - some sites allow you to use multiple keys now. Probably not the best security option, but would allow you to have a backup key stored safely away. Good info though...
Thank you for this video. This was extremely informative, very straightforward and the only video I have viewed on this subject that clearly explains the form factors, their names and respective uses and exactly how it might work (or might not) work with a password manager.
A very good description and use of the Yubiko Nano key. I am going to buy this key. You answered the many questions I had as I wasn't sure which Yubico 5 to buy.
Thanks
Thank you for watching!
I appreciate your insights. I've been coming across your videos a lot recently as I'm starting to take internet privacy seriously. Byproduct of studying cybersec in preperation to switch careers. Thanks virus!
I love this guy. Thanks for all you do Rob. Life changing info on every video.
Rob, your video was the best one I found on the yubikey. I found that the static password works great for lastpass master but you can also add your own unique portion you type and then long press the yubikey to have the static fill in the rest of it. then short press for the 2fa from the yubikey. i got the nano based off your review and it's amazing on a laptop. i got the yubikey 5 nfc as my alternate and works great on anything including a lightning to usb adaptor
i already had from apple ... and nfc to my iphone XR. these are cooler than you think because they allow you to stay logged out of password manager and log in quickly when desired.
I subscribed to your channel. I am using a Yubikey that I just received from the manf., I think that this type of security management is going to be the next BEST think. I remember when we used some software in a project way back when and it would NOT allow you to use that package w/o the dongle that is what they were called then and I thought it was great and a pain in the ass sometimes because it was used on multiple machines, each needing it's own expensive key! Thanks for the in depth review.
Very informative, thank you!
I LOVE my YubiKey 5 (nfc) used for iPhone X and computers.
Thanks very much for this - I'll look up something more recent too but this was a good intro to user thoughts.
Thanks for the video! I have tested a USB A to USB C adapter and it worked on my Galaxy phone just fine for use with Yubico Authenticator. I could also use NFC of course but it is a pain to always have to turn on NFC and try to find just the right spot on the back of the phone that will read the key. Also the Static Password is super easy to set up and use with a user defined password, just choose the Scan Code button in the menu instead of Advanced, choose your keyboard type and then enter your desired password then write to key.
This setup works just fine with my Xiaomi 9T phone.
Thank you Rob, this is a great review
Thank you for watching!
Very nicely done with some good tips and arguments brought out.
Thank you!
Excellent review! Thanks!
Thank you for the insights, your wishlist is the reason my yubikey isn't used.
Very detailed video. Thanks!
very useful summary, thank you so much
The concern about having nfc in the usb seems moot as if you leave the key plugged in all the time - you risk someone just using/tapping the key and entering - this circumvents the advantage of 2FA (something you have rather than just know/password). It should always be kept with you.
Thank you for sharing you are very smart
Loads of information trying to keep up
I have the same experience and could live with it and so I have decided to return the product. It also did not work properly with android NFC. I will give this another go it they have fixed what you have mention in the last section of your video. Great video by the way.
Thank you. I don't use it much now myself. I'm mostly using TOTP (Authy etc).
WOW this was a really great video review !!
You did very good to discuss this device and appreciate you sharing your thoughts. I was given one as a gift today. I'm familiar with the devices and found them to be more headaches than it is worth. I use LastPass, change my passwords frequently, and have MFA authenticator setup. For the most part, I think I'm managing passwords well without another device yet, now that I own one, I will do some testing. Who knows, this may be the device my wife is looking for since she gets really peved when she has to enter her password. She likes the biometrics (fingerprint) a lot and is trouble-free. Maybe she'll want this for her laptop (with USB-C). Thanks again!
Man in the middle attacks are rare but you're not protected against that without origin detection, which YubiKey provides.
@@fnd237 Right on. Man in the middle attacks are actually very common. If you are tech savy you can usually avoid them but for old/tired/lazy people YubiKey is great. My mother tried to get me to give her a security code that was emailed to me. She was about to give it to a scammer that fooled her into trying to get her to turn it over.
@ about 17:20 or so: Factually incorrect. I am using my USB C -based Yubikey in my computer with an adapter to fit into a USB A slot. It works perfectly.
Interesting. If this is truly the case then maybe some adapters have combability issues while others do not. And maybe Braxman happened to have an incompatible one? I also have an adapter that I may try out. Not sure if there would also be a security concern in the case you buy some shady 3rd party adapters off like ebay that happen to be harboring malicious software.
@@StoicSimp My adapter is a standard, plain USB-C female to USB-A male adapter - it's even smaller than the Yubikey (but a bit thicker).
You can duplicate the Yubikeys I have done this for years. At 10 minutes the video says you can't have two identical Yubikeys that are the synced on two different computers. You should use the Yubikey configuration tool. You can wipe the Yubikeys and make them all the same.
When one changes (i.e. you add a new account), do you have to bring them back together to re-sync. them ? i.e. I can't have one in LA and one in NY permanently...I'd have to fly one to the other every time there's a new account ?
@@jacklewis100 I doesn't work that way you don't have to change the key configuration every time you add a new account. The keys are made identical if you want using their configuration tool. Then you can give two or more people no matter where they are a key. they all have the same level of account access. You just keep pairing any one of the keys to each new account you make then they all will work with that new account.
@@huestifer Ah... so the key doesn't actually store any accounts - it's the accounts/web services which become aware of the permitted keys! Thanks. That makes a lot more sense.
@@jacklewis100 There is also a corporate version of the yubikey that allows you to control logins to a corporate server, for example. They also have tools that allow businesses to create more than one key at a time for a large business enterprise.
Thank you, very informative video.
Thank you!
Thanks for the video!
Helpful review, I learn a lot. It sounds complicated. It can only store one password? If it is lost, what are the steps to protect ourselves, is there a revocation process?
Nice in-depth review, and dispelling common myths. Here is what I'm wondering: For any account that has a backup 2FA SMS enabled, isn't that still the weakest link in the security chain?
It is and I hate the use of phone numbers for many reasons to begin with. I have another video on doing SMS 2FA without a phone number. Is that any better? Better for privacy but someone with access to SS7 hacking can intercept the SMS. The better backup is TOTP (Google Aythenticator or Authy).
Consider using a number tied to a web service like Google Voice no SIM card, this can make it on par with email OTP in terms of security since someone would need access to your Voice account instead of just being able to scam your carrier into spoofing your sim card.
0:47 2Fa
3:36 2 specific uses: 2Fa and static password
3:52 Yubikey and 2Fa
6:20 password manager
9:35 Yubikey on mobile phone
10:40 if you lose Yubikey
11:10 Yubikey and burner phone
11:28 Yubikey and computer: how it works
12:22 Yubikey nfc vs nano version
13:56 Yubikey static password vs 2Fa password
15:00 summarize
Awesome review, not like other sold out bias youtubers that only mention the good things and "forget" the bad, only because the receive free stuff.
Hey Rob, thank you!
You can register more than one USB key to an account and for 2fFA APP you can assign more than one key..
What is “2fFA APP”?
You can register a second physical key. It is great as a backup in-case of lost/stolen or damaged keys. (And if you get two different USB types then that solves this issue.(btw NFC authentication doesn't work with most mobile browsers. Apps only.)
Not every site allows 2 keys. But you're right it only makes sense to allow 2 for backup reasons.
Thanks for the vid Rob.
I have been researching tightening up my security in all areas, and considering Yubikey as well.
I like the idea of using it as a ststaic password for my Mac as well, though it comes to mind that if you were to leave the nano plugged in, or your yubikey around, and some one managed to gets physical access, in the event of a theft, break in, or confiscation, which I have heard is happening more often at airports now so they can access all your data. But thats a story for another day. Isnt this leaving you very unprotected? Seems it would make accessing your computer and files even easier.
I would only use a static password case if I were sure of my physical security like at home. I wouldn't use it in an open work environment.
You can also use the static password and add your own extra characters to the end of it for better security.
Great review. Do you know if the USB C key has the option to configure 2 static passwords. BTW have you figured out how to configure your own static password?
I don't know if they've changed the software since but at the time I made the video, you can only configure one additional use (static or TOTP). The way it works is by touch time. If you touch it for a few seconds it is mode 1. Longer (10 seconds or so), then you get mode 2. So if you use a Yubikey for static only, in theory you can get 2 static modes. Or 2 TOTP modes are any combination of 2.
i got me the 5Ci, with a seperate USB-C to USB-A adapter (€12) to use it on mac, iphone and windows machine
Does the Yuibkey have upgrades to the software? Who controls the software updates? I know this seems to be the best option in the market but I am always trying to see any possible vulnerabilities. No, I wasn't born skeptical, well, maybe I was.
Agree with your wish list 1000%
Thanks good review
Perfekt review
thank you!
I've been using them since 2017 for online verification and always been able to use multiple Yubikeys with EVERY service that supported them. In fact a minimum of 2 has always been RECOMMENDED in case one is lost or damaged. I question the management of any service that allows 1 but not multiple Yubikeys. I have also been using USB A to USB C and Micro adapters for phone and tablets. If adapters didn't work for you that incompatibility was elsewhere.
He's conflating WebAuthn and/or FIDO2 with YubiOTP. There are services that only allow one YubiOTP entry (though Lastpass allows up to five, so it's not a technical limitation), but any that use then as Fido(2) / WebAuthn allow and even recommend setting up more than one.
Good review
Rob, they make a combination Yubikey which has both USB-A and USB-C connectors on the one Yubikey. Moreover, you can program/clone more than 1 yubikey so it shows up as the same key across multiple devices.
Can you provide a link please? I found only combination of usb c and lightning
Sooo if i'm getting this right, if I had 2 yubikeys and say yubikey #1 was used for my Google account. If I clone the 2nd yubikey to be identical to the 1st, and then lost yubikey #1, I could use #2 in it's place for logging in?
@@uniquechannelnames You can't clone Yubikeys. But you can register more than one.
love your videos, I more or less figured out quite a few of the same concepts myself over the years- the only thing i'd say is there's a lack of open source since I think the 3 - neo , and for all the RF stuff they offer, i'm sure a capable chap such as yourself could brush past a phone with near field switched on (for these keys and their convenience) and steal a bunch of creds from the phone concerned. If you build one of those and go to a concert you can walk out a millionaire... Other than that , I do like the things, just switch off NF on your phone.
It would be extremely close and obnoxiously noticeable. Less than 3 inches, and you must also tap the yubikey button to trigger it. Dont try this near someone's back pocket. If they step back slightly and touch your hand, you may end up being charged with groping and wind up on a sex offender registry. Yes, NFC is that close.
Assuming one could get close enough, how exactly would an NFC-enabled hacking device steal creds from a victim's phone? The two devices need to be configured to trust each other first, no?
Anyone who uses a Yubikey with LastPass; LastPass allows you to register multiple keys. This allows me to have one key in my private laptop and have a separate (NFC enabled) key in my bag when I leave home without a laptop. It also gives me the ability to access my personal vault when on business travel with just a business laptop and business related Yubikey.
When it comes to using a hardware key with KeePass, I really never used a browser plugin but just used Auto-Type function to fill the username and password fields. In case someone would like to use that combination, try it and see if that's what you were looking for.
I don't see them giving the ability to sync multiple keys. That would be a security issue because it would make it possible to clone them. The whole point behind the secure element is that it can't be read/replicated once it's manufactured. They could create duplicate physical keys in the factory, and maybe that's something they should off (like a set of 2 identical keys) but it would really reduce the security if they could be altered after manufacturing.
Not true. You can use two keys at the same time. I have both the nfc YubiKey and the 5ci YubiKey. Whenever you set up 2FA, you get a QRcode from the website. You just scan the code with the YubiKey app, swap your key, then scan it again. Now both keys will have the 2FA codes.
@@marcespina1 what Retro is saying is of course true. He is saying that a private key should never leave an HSM. You are saying that several public keys can be registered as authorized keys to access a service. So you are both right, you are just talking about different things.
Great explanation ✅✅✅
Hi Rob, you can in fact use the series 5 usb A on a USB C computer, with a converter dongle.
Rob, leaving your key plugged in leaves a physical security risk as a person couldclone the key, given time and physical access. Most people dont worry about this at home, but having had a PI break into my house (your home is not nearly as secure as you think!) I learned to not assume anything. Bathroom break at home, ok. Leave it when you go to work...nope!
hi i bought no long time ago yubikey i can't setting it up on binance and they requiered me to add a PIN manually now i am concerned about that PIN it could'nt be taken by physhing is it actually saved on my yubikey or is just a PIN which is used before and when i press the yubikey device it does generates another code? many concerns about please somebody HELPP! thank you
I appreciate your review. Doe's it work with Yahoo?
It would be nice if you could do an update on that. So many sites now ask to take a pic of an on-screen QR code, as a 2FA method, can this be done with the Ubikey and is it as safe?
Have you looked in to ellipal titan let us know if they will comp you one for a review on a new video, thanks great content.
Sir, in your opinion do printable backup codes make an account protected with security keys more vulnerable? For example, Google back up codes are only 8 digits.
its not the code length. Its that if someone manages a password heist and logs in once, they can copy codes and use them in place of 2FA and lock you out of your account if they so choose. I had my comcast xfinity account hijaacked by a PI due to their poor security practices. I then had 2 different gmails hijacked that were used to impersonate me while I am locked out of them. That is beyond the scope of a normal PI, Its just creepy, but consider that in order to do that job you have to have no ethics anyway...
Can the clipboard be comprised or reviewed afterwards?
I appreciate the videos, and no, you don’t have to make them shorter. I watch them as you go into depth which is what we need to understand it. I have questions:
1) I bought 2 yubikey 5 NSD
2) outlook live was tested first ad worked fine after it asked to create code
3) added 2nd and was fine
4) tried google, failed
5) tried in chrome, failed with endless spinning until it gave a message stating it needed to be plugged in
6) restarted computer, gmail failed again to sync with same errors
7) I have never found anything that explains how many emails you can apply
8) I haven’t found anything that wipes the whole thing to start from scratch or updates that don’t require intense DOS style script for each “applet” where directions are difficult to follow
9) support to LastPass and yubico has been sent and have gotten zero responses
10) how far am I off? Is it a software thing? I saw a video where the thickness of the usb section varied and could be part of the problem, no?
Thanks in advance.
That's a long list! LOL. There's a lot that you didn't read. For example, Lastpass only supports Yubikey using their Premium version. But I don't use TOTP with Lastpass, I just use it as a master password. Which requires some setup.
There are always ways to disengage TOTP from any of those websites. Just remove the 2FA and start again. Many websites don't allow two TOTP devices. If it failed, try it again something didn't get processed right. For example, if you tap on the device too long. It should be a brief tap. A long tap is considered to be the 2nd mode (which is for a password)
Do you know if consumers can use the 5C FIPS series keys? I'm wondering if the regular 5 NFC series differs from the 5 FIPS series other than the added level of security on the FIPS. I ask because I'm wondering if let's say you want to secure your gmail account with the regular 5 series, can you also do it with the 5 FIPS series? Or are most accounts the average user utilizes only compatible with the regular 5 series and not the FIPS series? If I can still use the FIPS series that has government level 3 encryption vs. the regular 5 series, which only has level 1 encryption, than I'd rather just make the investment and pay slightly more for the FIPS version and get added security but I'm not sure if it's ONLY for government use or can regular consumers use it to and for the most part it would still function like the regular 5 series but with the added protection? Thanks for making your content, it's valuable in today's digital world 👍❗
Hello Rob,
I realize this video is 4yrs. Old, I just to know if you have any new opinions on yubikeys? I.e are they reliable, user-friendly and most importantly which brand you can recommend.
Thanks
If you're going to use the static password facility of the key, you should have a prefix that is NOT on the Yubikey that is appended by the "fixed" password stored on the key in case the Yubikey is lost or stolen.
In other words, if the static password is "hd7QWh%^87hd", then make your "master" password something like "6592" (typed by hand) + "hd7QWh%^87hd" (activated by the Yubikey).
Nice idea
very smart! Prevents access by device cloning. 😎
Hi Rob, I have the yubikey 5C and 5NFC. THE YUBIKEY 5NFC works fine on my laptop but the Yubikey 5 C does not work on my Samsung Tab A nor my Samsung A40 Smart phone, it either takes too long to load or does not recognise my Yubikey 5c at all. I am a disabled person who uses social media often and I desperately want to use Yubikey on all my devices. Best wishes from UK.
Do you have any password manager recommendations?
If you said most systems default to email or text when you loose the key then how safe is the key if email or text can be hacked? I would think it should be key or backup key or nothing. Please let me know how to protect against a hacker that can claim they lost their yubikey?
If you leave this in your computer and step away, can't I pop it in my computer, steal your master password, and put it back?
So wait a minute you’re cool with using AWS for your cloud storage? I’m trying to move away from them as much as I can because if there is Susie as him about the surveillance state
@10m00s: You can only use one device with one key on one account. You can't sync multiple different form factor Yubikey's and access the same account via different hardware. Uhh, okay, wow. Thank you for saving me the time and effort!
Its not true, you can setup multiple keys to the same acounts and have them as backups, I dont know where this man got all his misinformation from..
I use the yubikey usb a and usb c with their own converters to switch with computer and mobile, it is best used with 3.0 converter that will make it work. If using the standard converters that aren’t 3.0 then it doesn’t function properly.
You can use multiple yubikeys. You should have a backup because if you want all the benefits of using a secure key then you ought to be turning off other weaker methods of authentication like cellphone/mobile authentication.
Thanks
Welcome
I didnt quite understand. Does the YubiKey 5 Nano work on Windows 7 and which browsers are compatible, like does it work in FireFox and Brave?
A Yubikey works by emulating a keyboard. It's really simple technology if you think about it. Thus it is compatible with everything
What happened to Everykey? It was supposed to do everything from login to your MacBook to start your vehicle but it never did either...
The industry has standardized into FIDO2 and a specific implementation of TOTP. Same with the TOTP apps like Authy and Google Authenticator. So the old auth methods just didn't change. In many ways, the hardware approach is a pain so I tend to use the software version more (Authy, and Google Authenticator).
Do sites where you use a Yubikey store data about your fingerprint if you use a biometric key/ phone if you use an NFC key? i.e. would Amazon be able to see your fingerprint/ IMEI of your device if you were to use these keys to log in? Also, does Yubikey themselves collect any sort of data via these keys?? Heard a lot of these 'third party authenticator apps' mine a bunch of personal data.
LOVE your vids Rob. Greetings from the UK!
Great video, what happens when I loose my Yubi key stick that I have on my keychain with all my kyes, am I stuck then to use my computer?
You can have a second yubikey, with the same TOTP or the same U2F...
It is like what you are suposed to do with your hardware wallet.
update? vs solo or any key? verify they don't go online?
My Yubikey is of USB-C form factor and I simply use a C-to-A adapter to make my key fit any device I may use.
Some apps and websites do allow for registering more than one yubikey. This is handy for having a back up yubikey that you can store.
I’m not sure you accurately described how it works according to a video explaining the U2F protocol. The device does more than act as a simple keyboard macro, according to other sources.
You said you only can register one key at a time and u need to use either usb-c or usb-a. But I just got two yubikey 5 nfc usb-a version. and the services I've tried so far have let me registered both keys and it worked on my phone both with nfc and using a usb-a to usb-c adapter. Did u mean the adapter is a security flaw maybe?
This is an older video. This has been changed.
@@robbraxmantech ah :) damn fast response btw. 🤘🤘
Is there a way to protect your crypto if you've made a mistake and used a wallet from a wallet provider who are the scammers themselves? Is there a way a Yubikey can protect you in this case? I don't think they stole my crypto using a Trojan keylogger to gain access to my password for the wallet, but if the wallet providers themselves just randomly steal from the wallet user base, can a hardware device like still help?
How about DigiID, Is it safe to use???
What about a trezor key? Is that better than a yubikey
There should be a adapter over the top of USB-A, that can be USB C or Micro USB. This way you have all of them.
I need to know if it's made of metal, that's a make or break for me
the other thing i'd add is I agree don't buy two - the marketing is that if you lose your first one you're stuffed - but if you're concerned and want to start out exactly where you left off - these are factory produced things, so all you do is with Yubikey #1 - get the hexadecimal crypto stuff from the manager, print it off and shove it under your floorboards and hope you never need it - but if you do, just buy another one and put the same hex data in. pwSafe is a good password management option to use with, it'll do PK authentication so with your long password in the regular box it's pretty much unbreakable as it's 256AES
Does it work with your bank website? Can you set it up to sign into your laptop,
That's a decision for every website to make.
could you make a video about USB fingerprint sensors that work when plugged in on Linux systems like a laptop on the go?
What about Nitrokey (Opensource)?...
What what what what you can only register one yubikey with one website?
But why Google suggest register second backup key?
This is a platform specific question. It's up to the platform to allow multiple keys
It works in windows 10?
Your review lacks demonstrations for completeness. But overall good review, thanks.
the USB-C with an USB-C to USB-A adapter solves your problem, also most apps/accounts support a second / third backup key
Video already cpl years old, he also mention the hardware should change maybe every year.
In another video you asked why is everyone so interested in Bitwarden now? I would like to suggest, although I may wrong, that is possibly because the recent surge in interest in crypto currency and hence A. Antonopoluss channel and in his Ledger Hack/cyber security videos they mention Bitwarden as one of the main open source password managers.
you can use OTG to convert USB to USBc or LIGHTNING
What about OnlyKey?
You'd think that a fairly simple solution to USB-C / USB-A would be to have both types, one at each end. Then you use whichever one you like.
Which I thought they did, but that was 5C and Lightning (Apple)
If the websites you use Yubikey with can just fall back to SMS or email then there is any real security advantage to using a hardware key apart from phishing attacks if you are careless and end up putting your OTP into a fake website?
OTP doesn't work like that! It's 'Time-based One Time Password' (TOTP). Cannot ever be used again. Only the company that has the original private key can validate it. You can pass multiple TOTP results to anyone else and it's meaningless
Rob Braxman Tech I’m referring to a phishing site where someone enters their password and TOTP. If the website doesn’t require a new TOTP for disabling 2-fa someone can hijack your account (if they are inputting the information into the real site immediately).
How would the phishing site know you have a Yubikey? Next, if I were to do Phishing, I'd just accept any password since one of the things I want to collect is the password. Then I will ignore the TOTP since I don't even know it exists. Then I present the fake website. TOTP is not even connected to this story. It has to do with knowing what you're clicking
Rob Braxman Tech My original comment was referring to one of the pitfalls of TOTP/Google Authenticator. It appears prevention of phishing attacks is the only advantage I can see of a yubikey from my limited understanding of the device. This is why Binance doesn’t allow withdrawals within 2 minutes of logging in so that you are forced to use a new TOTP code for withdrawal.
It's a different issue when you talk about how someone might hack 2FA with SMS. So if you allow a downgrade to SMS, then you can intercept the SMS with SS7 attack on SMS, or if you've prehacked the email, through email. The downgrade attack is an issue even on security of LTE. But without the ability to downgrade, then the usability is a problem. So yes it is not perfect
Thanks for the video
Thank you for watching!
As this type of 2FA devices offer some level of security, it brings a whole host of inconveniences and other issues. I think I will stay with my existing security protocol with very strong password management with 2FA and leave it at that!