4 CRITICAL Places to Use a YubiKey (beyond an email account)
Vložit
- čas přidán 2. 06. 2024
- So many people purchase a 2FA security key and then don't know where to use it. They secure their email account...and that's it. Today we're going to walk step by step through four of the most important (and common) accounts to add 2FA security key authentication with a YubiKey.
▶ Need another Yubikey? Get $5 off your next purchase here: yubi.co/all-things-secured-2024
Resources mentioned in the video:
✅ What works with Yubikey? www.allthingssecured.com/2fa-...
✅ Which Yubikey is right for you? • How to Choose the BEST...
✅ How to Use a Yubikey 5 Series as an Authenticator App: • Forget Google Authenti...
If you care about your personal security and privacy online, download my free security checklist here:
✅ Security Checklist: www.allthingssecured.com/secu...
🔹🔹What to Watch Next🔹🔹
I've got a lot of great privacy- and security-related content here on the All Things Secured CZcams channel (although I admit I'm a bit biased). If you're wanting to increase your online cybersecurity, here's what's next:
✅ Change these 7 Facebook Privacy Settings NOW! • How to Change Your Fac...
✅ STOP Using VPNs! (here's why): • Don't Use a VPN...it's...
✅ Are spy apps safe? • DON'T USE MOBILE SPY A...
🔹🔹Support All Things Secured (Recommendations)🔹🔹
If you enjoy this kind of practical security and privacy content, one of the best ways you can help support this channel is by using these affiliate links to our favorite products and services. When purchasing through these links, you not only get the best available deal, the companies will also pay us a small commission. Thank you for your support!
✅ Recommended Password Manager: www.allthingssecured.com/yt/1...
✅ Recommended Identity Monitoring: www.allthingssecured.com/try/...
✅ Recommended 2FA Security Key: www.allthingssecured.com/yt/y...
✅ Recommended Secure Email: www.allthingssecured.com/try/...
✅ Recommended VPN: www.allthingssecured.com/try/...
*********************
Video Timestamps
*********************
0:00 - How to Use a New Yubikey
0:19 - How to Setup a 2FA Key on Vanguard (Tutorial)
4:04 - How to Setup a 2FA Key on iCloud accounts
6:35 - How to Setup a 2FA Key on Facebook accounts
8:57 - How to Setup a 2FA Key on 1Password accounts
11:59 - What Services work with Yubikey?
12:27 - Using a Yubikey 5 as an Authenticator App
*********************
Most people purchase a 2FA key from @Yubico, set it up with their primary email provider and then don't know what else to do with it. In this tutorial, we're going to walk through four of the biggest places where you can start increasing your account security with your physical security key.
#2factorauthentication #yubikey #onlinesecurity - Věda a technologie
Where else have you found your 2FA key to be most useful? Also, if you're not sure which Yubikey you should buy, I did a video explaining the differences that you can watch here: czcams.com/video/WDPFARHQKNo/video.html
Hey Josh, I just bought a yubikey5 but realized only the bigger websites like google and Facebook use the fido2 standard. Steam, epic games, etc don’t have this implemented and my password manager (Bitwarden) doesn’t allow me to set up a yubikey without premium. Are there any more popular services that use this?
laptop?
You skipped the most crucial part for the Vanguard setup. Once you have multiple Yubikeys registered to your account, it will allow you to remove the SMS 2FA option.
YES! So glad you mentioned that. I didn't realize that was possible and I'm so glad to hear that.
I just did all this for Bank of America but it still offers me only sms auth to log in… I haven’t found anywhere I can delete that, the wrapper section now reads like it’s the yubikey only. Going to give them overnight in case they run some kind of early 2000’s chron job to reset that, but if that doesn’t work, it’s back into the suppor call queue 🙄
I was wondering about that as he was going throug the video. SIM swapping now making 2FA a high security risk and many organizations require it. Watching I was thinking what stops a SIM swapper from adding their own secutiy key. Trying to wrap my head around the security key to decide if it's the right choice for me. Now I am wondering if everybody allows to disable 2FA.
Your timing couldn't be better, my yubikey order is arriving tomorrow!
Awesome! Enjoy :)
It’s crazy how so many financial websites don’t give you any 2FA options besides SMS or security questions
I know. Thankfully, I think that’s changing little by little.
Or they do but you cannot remove SMS. so it’s there like a backdoor into your account.
Josh--you are THE BEST!
So glad it was helpful!
Thanks for these videos. As an elevator service tech I found many of these sweeping out the bottom of the shaft and now I know what they were. My question is, if you have a backup key can you delete a lost or stolen key?
Yes, you can remove a key using either your primary or backup key.
Quick question, If I screw up adding a key to a website I have in 1password, (I accidentally told the site to trust this device) can I just delete that website from 1pass and start fresh with the keys... or start fresh w/ 1pass??
Thank you for these great videos. Can you help me understand why you did not choose the mini Yubikey for your laptop? I was thinking it would be so much less prone to getting knocked askew and/or lost or misplaced? Can you elaborate on your choice? Thanks for all your videos and info!
I do have the mini that I keep in my laptop. Most people opt for the 5 series or Security series, so I’m just showing those in the video. It all works the same.
@@AllThingsSecured Thank you for your reply. Since that resolves the last question I had before making my choices, could you please confirm which links are your current links to enable me to place my orders with the no-cost commission to you?
Sorry for the late reply. I appreciate your desire to support. At this point it’s best to just go to their website or Amazon to purchase. No worries about commission 👍🏻
Thank you for this. Have you done a similar video for passkeys? I have a modern Pixel phone that supposedly can be a passkey and I'm trying to find out if my Apple/icloud account can use my Pixel phone as a passkey (yes, I know, that's a stretch). Lastly can I use 1password as a passkey for an icloud account?
I haven't yet, but I'm considering it. And yes, I do believe that you can use 1Password as a passkey for any account that allows for passkeys.
@@AllThingsSecuredyes please for iPhone also
I believe Apple only allows passkeys from iCloud keychain and nothing else so far. That might change in the future but you can keep checking.
my family somtimes uses my laptop, if i add a key to sites (shopping that we all share) will i have to input my fingerprint whenever they want to us the sites/pay?
The Yubikey look great! I bought a 5NFC, and the 5Ci on your recommendation. Tried multiple browsers including Chrome on both Windows desktop, and Android phone. Keep getting the "Something went wrong" Google error when trying to install them. This is becoming quite a time magnet (4 plus hours). Any suggestions? Can you point me to a possible solution?
Have you seen their tutorial? czcams.com/video/PeF0Y8pT7UQ/video.htmlsi=cGwonFwu8x1Bl6o4
IN the Vangaurd example what if you log in via mobile app when the desktop it setup with the 2FA. Can you use Yubikey on the phone app?
Yes, you can. You either plug the key into your phone or take advantage of the NFC feature by tapping it on the back of the phone.
Watching an install of Yubikey on an Iphone which checks for active devices by Apple ID; however, according to video since I have two older devices with older software that does not support Yubikey the work around is very time consuming to delete the Iphone Keys every time and reinstall....is there a work around to get the Yubikey to work on the older MACOS or mybe even windows software?
I’m not clear on all the details here, but using a YubiKey on older Macs is absolutely possible. Not sure why it’s not working for you, but I don’t think it’s the key + operating system.
I have an unrelated question... I bought a couple of Yubikeys and I would like this to be my primary method of 2FA, however, some websites (eBay, PayPal, etc.) still keep your phone number as a method of 2FA, even after adding a Yubikey or authenticator app. What should I do when a website won't allow me to remove text messages 2FA?
Hopefully others answer, but to my knowledge the best you can make of this bad situation is to try to use a Google Voice number for SMS from a well protected google account. Far from ideal, and some services will not allow GV, but it is at least a number not subject to SIM card attacks.
@@myr3434 that is actually a good idea. I'll give it a shot
Yea, I like the previous answer here. You can use a virtual number (not your primary number) for the SMS. Also, for some services like PayPal, you can remove your phone number SMS authentication once you've set up both an authenticator app and a security key/passkey.
@@AllThingsSecured Thank you both for the responses. This was driving me crazy.
@@AllThingsSecuredooh! Please show us how to do this for iPhone 🙏🏻😃
Can two Yubikeys be used simultaneously from different locations logging into the same account? My daughter has my third Yubikey backup for everything(in case i get hit by a bus) but primarily she'll use it to get access to my Amazon account.
I believe it depends on the service, but in my experience yes, the keys can be used from different locations. Simultaneously? Depends on what the service allows.
@AllThingsSecured Is there any way to use Yubikey when encrypting an external drive (like a USB Drive) with Bitlocker? It looks like you can if you setup your Yubikey as a Smart Card but I'm having trouble getting it to work. I'm sure others would be very interested in this as well. Maybe the topic is worthy of a video??
Definitely worth some research because honestly, I don't know the answer to your question!
From your previous vid on password managers, which ones work with youbikey?
I use Youbikey with my BitWarden account.
I believe that all of them do? I know for sure 1Password, Bitwarden, Proton Pass and Dashlane do.
An important security/privacy question. For example you have two accounts both use the same YubiKey. Can the provider see that you have a same security key aka signature?
No. There would be no way to compare.
What are your thoughts on the bio series yubikeys? Doesn’t seem like you use or like them.
I tested them and I like them, but I prefer the 5 series. The Bio doesn't have NFC (making it difficult to use with my iPhone) and it doesn't store authenticator codes.
Hello, I wonder if you have experience that the key doesn’t work on (generating the code or unlocking) the opt work fine?
I haven’t had any problems with it yet.
Hello Mate! Thank you for the informative video. I was wondering how many accounts can be saved on a single Yubikey 5C NFC?
As many as you want
@@anthony9013 thank you Anthony! :)
Yup…it’s unlimited.
Hi Josh- Great info as usual. But I have not been able to get Amazon to let me set up a key, even though their cloud services (AWS) do allow it. Any idea on how to lock down an Amazon account with a Yubikey? Thanks fopr all your content.
Neither Amazon or eBay allow account holders to set up HARDWARE YubiKeys as a method of 2FA.
@@azclaimjumper Thanks, just trying to confirm what I suspected.
Yup, Amazon doesn't allow it.
Yea, it's a shame, but Amazon doesn't let you lock down your account with a physical 2FA key...yet.
I'm confused. Why do I need two keys? I remember you mentioning that some websites require two keys. I'm guessing the primary key and the second one as a backup? So, if I have usernames and password saved on Brave or Google, will the key store it? I saw an article that Brave and Google can use YubiKeys. If my password is compromised, and I have a Yubikey, can the Yubikey still protect me while I change the password?
Correct. You have a primary (that you usually keep with you) and a backup (that you keep stored safely elsewhere in case something happens to the primary). The 2FA key is a second form of authentication beyond the passwords.
What happens if you loose your key device? Also where would you keep this device? On house keys, car keys? Its electronic which means it could break or fail. I am not sure on how tough this is.
Same question
Same question too
When I upgraded to the latest iPhone, my email app on the phone requested the YubiKey. I plugged it into the usb c slot, but the phone could not recognize it; nothing happened. The backup (nfc) also did not work. These same keys work on my computer. I had to uninstall the security and remove the keys from my email in order to get the app to run on my phone. Is there an issue with compatibility between iPhones and YubiKey?
I have used Yubikey 5C NFC keys on my iPhone 15 Pro without issue. No problem with the USB-C or NFC functionality.
There shouldn't be. It sound like something with the email provider (or app).
This is why I am skeptical of these keys.
Simple question and maybe just out of ignorance but what happens if some else gains access to the yubikey? Can they just plug it in and gain access to what’s on the key? That might be a good video.
they'd still need your password I guess?
Yes, they would still need your username and password. The idea of somebody trying to find and steal such a small key off of somebody hasn’t really been a thing, though.
Useful content as always Love all your videos sending love ❤
Thank you!!🙏
What happens if they security key brakes? You will loose everything?
They’re extremely durable, but that’s why I always have a backup key or keep my backup phrase in a safe place.
Great tutorial, pls explain Yubikey menager desktop app. pin and puk and certificate video would be good.
Thanks for the suggestion!
Can you answer this question please.. If I'm using Bitwarden, and have 2FA running on it too(on bitwarden), but only way to access my Bitwarden is having my yubikey, is this safe? Or do you recommend not having 2FA's on Bitwarden in general?
Yes, using a physical 2FA key to lock your Bitwarden account is an excellent security measure.
@@AllThingsSecured Finally! someone answers! Thank you! I wasn't sure if keeping everything in one nest was safe(which i get it isn't) but i had assumed having physical keys would make it safe, just wanted confirmation from someone who knows, Thank you! :)
That's how my BitWarden account is set up. I also had BW remember one of my Yubikeys with my home laptop, that way it doesn't ask me for my Yubikey. I only use my Yubikeys when I use a computer outside my home (ie work computer).
@@manny7886 thank you! :)
do you suggest using the same key across all these accounts or have different keys?
Same key for sure. But always have a backup.
The best procedure is setting the same accounts on both keys (unless a service only allow one key). Your second key will be a backup for the first one (so you need the same thing on both of them). This is my method.
What happens if I lose both keys, primary and back up?@@AllThingsSecured
Hi, in your exemple, you have four different websites and two Yubikeys for each one?? ... eight Yubikeys to have in total??
No, the same two keys (my primary and backup) can be used for an unlimited number of websites/accounts. You only need to purchase 2 keys.
Thank you for your answer.
A video about using a yubikey to log into a Macbook would be great!
Thanks for the idea!
If you are on FB a lot on the iPhone is there a work around so you don’t have to have a yubi with you all the time?
Just log in once with the YubiKey on your phone and it won’t be required every day for login.
@@AllThingsSecured thank you!
Can the same key be used for multiple platforms?
Yes
Facebook gave the option to save the key to other devices suce as iPad or smartphone. I wasn't sure what to do about this so just saved it to the key. Could the other devices be used or should they have been used?
This is a passkey. You can save this to a device or to your YubiKey. It’s up to you.
I just bought a backup and was trying to add it to my Google account but I don't have the option to add a backup anymore, I can use passkeys is it that?
No, you can add multiple 2FA security keys to your Google account.
I love your channel and am taking much of your advice. HOWEVER, there is one thing I have discovered regarding a company. The company does indeed support security keys but ONLY for logging in online. The same company does not support or allow security keys for their app. Further, they don’t allow you to restrict use of the app. So another person can download the app and get around the keys with only your password and cell phone 2FA. If you remove the cell phone and turn off 2FA, then it will require a security question. So you have to decide would you rather have a cell phone 2FA or security question for the app. Frankly, my solution was to not even use their app. But I still left the cell phone 2FA turned off. That way the security key is always the default, which is another get around. If you leave 2FA on, then it works around the key. I did not name the company for security reasons and because it does not matter. The lesson is to test the key and it if is not working, then it is competing with some other 2FA option or a passcode and those need to be removed or turned off. And you also need to test the app to make sure the keys work there too.
Your security is only as strong as your weakest form of 2FA, even if you’re using a security key.
@@AllThingsSecured Agreed but even if you do everything right you are always at the mercy of your vendor’s software. I did not name the company in my original post but I think now I was being overly cautious. It is Vanguard. They are like the security key poster child, but I quickly found it could not use the key on their app. I called and at first they too were shocked. That can’t be right. They researched and put me on hold and researched some more. Finally they conceded I was right and put in a request for an upgrade. That was a month ago. It might have been fixed by now. If so, then I am to thank apparently.
Is google titan key similar and will it work with most of the same sites ?
Yes and yes
Is it ok if I get a 5CNFC as my main unit but a 5 as a second?
Absolutely. Doesn’t have to be the same key.
What’s going to happen to my Apple TV CZcams app when I add a yubikey to my Google account?
The TV app will require authentication via your phone, so if your phone has been logged in with a security key, you won’t have a problem.
Isn't this Yubikey limited to 25 key pairs / services though?
No. You can use the key on unlimited accounts as a key for 2FA. If you use the Authenticator codes feature from the 5 series, I think they limit you to 32.
@@AllThingsSecured Thanks! The FAQ on YubiKey tells: "FIDO2 - the YubiKey 5 can hold up to 25 resident keys in its FIDO2 application." What are "resident keys" then?
Just wanted to share that iCloud for Windows doesn’t work with the Yubikeys.
Hmm, I didn't know that, but it seems that you're right. That's a shame.
can Google titan key do the same things???
Yes, it can.
What if you lose a key? How do you remove that key from all those accounts?
As long as you have some kind of backup, you can always log in and remove a key. That’s one reason it’s important to name them if you can so you remember which one to remove.
@@AllThingsSecured so if someone finds or steals your key and deletes all your other ones...
@@erbalumkan369In most cases, they still need your ID and password in addition to the YubiKey.
If the Facebook database is hacked, there is nothing that can secure your account, isn't that correct?
It’s not an end-to-end encryption for you as a user, no. But that’s true of pretty much every social media platform.
Banks are the worst. None of my banks have implemented 2FA using a Yubikey.
How to make a Backup Yubikey? Second one ? For same accounts ?
Yea, a backup key is nothing more than a second YubiKey that is setup in the same way as the first. You can’t copy keys.
@@AllThingsSecured thank you
@@AllThingsSecured do these keys have expiry date? Do they fail ? What of they fail? Is there any option to recover accounts ? Let's just say both the keys failed, or stolen or something happened
No expiry. I’ve never had one fail personally nor heard of that happening. Regardless, that’s what a backup is for.
@@AllThingsSecured thank you
What about passwordless logins? Using the key just for 2FA is cumbersome, expensive and problematic(if u loose the key).
That’s why you need a good backup. Carrying around keys for your car is cumbersome too…
They require a phone number? What's the point then? You can do without a yubikey
You can remove the phone number after multiple keys are setup.
No way you save your passwords on your browser? Why?
Browsers were made to browse the internet. They were not designed to encrypt a password vault. That’s my opinion.
@@AllThingsSecured what do you use to store your password?
if only ALL banks were required to have a key as an option
I know...hopefully someday!
Can TWO Yubikeys have the same name?
It depends on the service. The YubiKeys themselves aren’t named.
Vanguard had me give each key a PIN code. Anybody else run into this?
A PIN code through your phone number? I only had that at the start of the process.
@@AllThingsSecured No, a pin code for the key that has to be put in after the key is inserted. When the PIN is entered then the request is made to tap the key.
This is a mess. going back to the 80's.
How so?
Your cell phone account login if supported by the carrier!
What?
Bad idea... Any authentication tied to your mobile number means you don't really own or control it. YubiKeys allow you to own your authentication, and it's beyond the control of the phone company.
@@JM.TheComposer Many website logins do not support anything but a mobile passcode... thus keeping your cell phone account as secure as possible from SIM-jacking etc is critical... If your cell phone company supports it, you should use yubikey on your cell phone account MFA. Unfortunately most carriers do not support it.
Who thinks think again that his real name is josh 😂😂
You'll never know...
they ask for your phone number, and you say "it is not ideal, but that's the way they do it" ???? WTF ???? you just lost any credibility you have ever gotten ... privacy and security is uncomfortable, if they ask for your phone number, you look for another provider.
Sorry to disappoint you. Sometimes you get stuck with a service and you have to use what they give you. Thankfully, Vanguard does allow you to remove your phone number after you set up two security keys.
Where do yall keep your Key stored?
Main one on a key ring that also has a AirTag on it so I can find it easily. Backup in a safe.
One stays on me and one gets stored safely in my office/home.