I completely agree with this video. I setup a security key 4 years ago; plus a spare along with a security key compatible password manager. No regrets so far.
Great content as always Naomi. It's a fantastic service you are providing explaining how to secure our online transactions & keep our information safe. Please keep up the great work you do 😊 Greg
Public key security is awesome. Phil Zimmermann and others changed the world. God bless them. God bless you and your team, Naomi. You bring good knowledge to many seekers. Thank you.
I appreciate this video about security keys, you made it seem very simple. I think I am finally convinced to take the plunge, although password managers and security keys seem harder to implement when families are involved with shared passwords and access like they are in my household. I guess that sharing just makes the security more important, but it requires changing some habits as well as adding some new technology like security keys.
That's only one thing I can say about this video, AMAZING, I have never thought about security on that way, it's shocking when you realize that you're unprotected
I have thought about this level of security for quite some time. After this review, I think it’s an important addon to consider. I think I will order a Yubi
I have used yubikeys for years... Everyone should do the same, in fact some of my relatives and friends are going to receive yubikeys as Christmas' present.
Thank you sooooo much for doing this video! I use 2FA on my of my accounts but my old email was hacked recently, and it was devastating. I saw this security key option on some accounts, but it was very confusing. I will be ordering one of these options directly from the supplier tonight. Thank you again for helping to keep us safe.
@@edwardmacnab354 : The problem with have a code sent to a smart phone is, if I am outside my home country I don’t use my phone because of the high roaming cost. I once had to open my phone, in a different country, and after being closed for a month I received hundreds of emails and notices that were “parked” because the phone was closed. It cost me a fortune just to use my phone for five minutes. With email, I can use WiFi on my iPad to receive the authorization code without any cost. Using your cell phone is fine if you are within your provider’s territory.
@@Itsme-vo4fx I have two situations where my bank AND microsoft on windows 11 will not allow email or landline but only text and I do not have a mobile device that receives text. I have a landline that does not do text . Also, thanks for the heads up on that "parked" dam burst overcharge situation . with the backed up email . Terrible !
Naomi! I love your videos on security issues, always well researched and clearly presented. I’m hoping you will do an in depth video on PASSKEYS soon!?!? any clues as to when we can expect this? 🙏
Great video. I have been using Yubikey on critical accounts for a while now and it helps me sleep at night. Still shocks me that Bank of America only allows 2FA via SMS or email. I have written the angry emails but they don’t care.
Every bank I've used has only ever allowed SMS as 2FA. It REALLY makes me mad, and I don't understand how institutions that handle sensitive, financial information don't have security keys or, at the very least, OTPs as a method of 2FA.
What happens when the security key malfunctions? To fix this two or more security keys should be made registered where either one of them can be used to unlock the user from the mess.
I was also worried about this... What if I loose it, or it is damaged... Will I be locked out of my accounts? Naomi didn't mention if there was a seed phrase or something similar to use to recover if those scenarios happen.
That's why they said to get multiple keys. Having a seed phrase somewhere is a risk. If one key breaks or gets lost, you can use the other. If you register multiple keys to an account, you can use any of them to access it.
Excellent video and couldn't have come at a better time as I've just received a set of security keys but have not set them up yet. I have read online of people using the same code to register their main as well as backup keys while in the video, the backup key is registered with a different code from the main key. Maybe seasoned security key users here might be able to comment on which method is better? Or maybe it doesn't make a difference?
I too was also a Contractor for many years in the communications industry. I literally got to install the very first real time Packet Sniffing Server on the West Coast of Canada Friday the 8th 2001. At that time the Co that i worked for handled about 99% of the Data on and off Vancouver Island British Columbia Canada. The Black box was mandated to be installed in every head end in Canada that sold the internet or lose the ability to sell the internet. Mandated by the CRTC just before 911. Funny part of that story i helped install that Black box Friday and then Tuesday this group of people flew planes into building and life changed for everyone almost instantly. Pretty funny story when only a couple of us new that 1/2 mill box was sitting in our head end. The going joke back then when someone was standing next to it.. We would mutter.. That's one hell of a Black Box. As of late we have been told that the federal police in Canada's Communications network is now compromised by overseas Countries, last week we were told that all Video surveillance security devices in North America also compromised. My bet is not one chip shipped in the last 50 years would not pass the new inspection process. Pretty funny story Bro.
Thanks...I got a Yubikey a couple of years ago and it wound up being more of a pain than anything else. Not really the key's fault but the number of websites that didn't support 2FA via a security key. Most of them did support one or more authenticator apps so that is the way I've gone when I could and SMS when that is the only thing available. Now If I could just get the rest of them to move away from re-Captcha
Yubikey 5 supports TOTP, which are the authenticator app codes. You can use it those as long as you have the Yubico app that supports them. That being said, I still think even the more basic Yubikeys are worth it for protecting your most sensitive accounts (email, password manager, bank if you can). Even if most regular things don't support it, the important things do, and that's what matters imo.
@@catchnkill Yeah that's not what I meant. I meant that you can't register to a site by giving them a public key so then only someone with the corresponding private key could then login to that account.
Reflections and observations.... 1) Showstopper bugs as more of these are deployed. Emergency patches for your little key. 2) Your primary and backup both get stolen/damaged/lost, especially when traveling internationally. 3) The joy of dealing with logins when traveling after both keys, for whatever reason, choke. 4) Designing security that relies on cheap, fragile dubious hardware. 5) Hacks to work around the root cause, which are operating systems that have horrible, creaking architectures baked in which invite endless flaws and bugs (0 day exploit du jour). 6) Making the login process so tedious and annoying that people just start avoiding doing business online as the overhead, stress and drama is intolerable. 7) You need a trusted friend or family member to log into your account during an emergency (like being detained by authorities in some borderline police state) and they have confiscated your keys. You are so screwed. The examples given above are all based on real events encountered over the years in my job. I've been in the computer security business for a long time. It continues to devolve. Hacks on top of hacks.
I'm halfway through Cory's "Attack Surface", so I'm inclined to believe you. Plus the other peeps above who mention the Security Keys are only ever an "option" for websites, with the fallback being phone text or email, which seems to render these keys of very little actual use.
Please start a channel ! ALSO--- I'm going to use phone text verification for all my online banking transactions , it seems reasonable but then, the bank gives me no other option anyway. I cannot say how well this works as I haven't even set it up yet . I wish I could just mail cash to people , far less risky !
I allways wanted to get a Key, but was overwhelmed by all the information, thanks for clearing this very important topic for nubs like me greeings form Switzerland
You can't state it enough. You need to be as secure as you can make yourself online. No one is going to take care of your online presence if you don't do it yourself. You may be just one fish in a huge ocean, but there are many people just looking for an opening to take whatever they can get from as many people that they can to benefit themselves. So, using any extra security just makes sense, even though it may be sometimes annoying to have to use it. Once you start using extra security and get used to using it all the time, you will not notice that inconvenience anymore. It'll just be habit.
As far as I know, banks in India provide only SMS based 2FA, which is highly insecure and most government bodies don't have any form of 2FA at all. If they do, it's only SMS based 2FA again. 2FA and security in India really needs a big boost.
I have a variety of devices on several platforms and the one that makes me hesitant about the YubiKey is the support for USB-C iPads isn't great. It's an Apple problem, not a Yubico problem, but still something to consider.
@@speedracer9132 fact is, as much as we like to think hacking is solely technical, hackers always go for the lowest hanging fruit. Some countries have much stricter regulations and invasive identity checks for SIM registration like compulsory in person checking, (though easily beaten by corruption.) Even then, pickpocketing and theft are more common, making an authenticator app or sms more safe in these cases. Hell sometimes you can't even buy genuine hardware keys without insane tariffs & markups as an individual. This is why threat modeling is necessary. In edge cases, fundamentally more secure options can end up being less optimal.
@@kimsvendsen Loose 1 key still have your hardware YOU can remove the lost one, but if they get in your house and stealing all together you maybe right I dont know, what I do know is SMS is weak and easy to intercept. Conclusion, maybe you need to look a better way for 2FA sms? Solution, I dont know what is the best and most secured way. It depends personal and in wich case because we use all different senario. That is why for example a Yubikey has not just 1 kind of key, but many to choose from.
Very interesting videos about security. I have one doubt though: I feel these keys are really secure against online threads, but aren't they much less secure physically? I mean, what if your children take it while you're sleeping to buy stuff online? Or worse, why if during a break at work, you leave it plugged in your laptop and a college or boss use it to spy on you? My examples are quite simple, but I suspect there're some potential risks there, at least from a first look at it.
Well even if they had the yubikey they would need to have access to your open computer with an open email right? Just remember to log out and it is fine.... And if this still concerns you, get a bio yubikey that requires a fingerprint too
With the increasing number of websites that mandate you to download an app on your phone, and then scan an on-screen QR code for authentification, there needs to be a safer alternative for those who don't want the risk of a phone app. One better way of doing this would be a dedicated device, or just an updated login key device, that would have a camera that would allow to scan on-screen QR codes.
Now if they could make one with builtin key fob ability and schlag door locks that support ncf and fido and then just slap an airtag key chain on it and it would be the only thing and your phone you'd have to go out the door with.
The main problem of these keys is that 1) it's physical, 2) you becomes a kidnapping target, 3) a criminal can cut your finger off to get easy access to all your accounts. And since these devices uses biometric data, it can be easily spoofed since apps like tiktok among others already have your biometric data (eyes, face and fingers). Another big issue with "security keys", if your biometric data leaks out, I can use that to have access to ALL YOUR ACCOUNTS. When your password leaks out, all you have to do is to change it. When your biometric data leaks out, what are you gonna do? Change your finger/eyes/face? These devices might look secure but ISN'T.
I THINK this dude might just be trolling, but just to clarify for anyone reading this: With the exception of a few specific models of Yubikeys that do have a fingerprint reader, MOST of those security keys shown in this video do NOT have fingerprint sensors. Those circular gold contacts you see are simply just capacitive buttons to press in order to verify a human being is there using it on purpose. No biometrics are involved unless you specifically buy a Yubikey model that has one built-in.
i saw a project a long time ago about fake fingers that can trick biometrics into thinking its a real finger(and be registered as a valid finger) that way you can have biometrics without using any of yours, you can even go further and register one of your real finger as a panic button if you are held at gun point or someone use either your finger or a copy of your print so that either the device get cleaned or open a session with all you encrypted data hidden via steganography depending on your treat models( e.g you live in a nation-state where you don't have a right to not self incriminate)
Although it's true that being a physical item makes it vulnerable to losing it or getting stolen, this is basically the same as your other physical keys as well (from your house or your car). Because of that it's recommended to have more than one key, so you don't lose access to your accounts. And you're wrong saying that if you someone steals you key, they get instant access to all your accounts. This is an additional layer of security (unless we're talking about passwordless, but the implementation is very limited for now), they still need to know your password, and unless you use the same password for everything (bad idea btw), they still have "work" to do before owning all your accounts. And about being a kidnapping target only for using security keys, that doesn't make any sense. Nothing prevents that someone kidnap you to force to give them all your credentials and money or extort your family to getting more money, but they also get exposed to getting on jail. Most of the security attacks are done remotely and on a large scale (not diriged).
It seems like the Webauthn passwordless technologies such as Apple Passkey eliminate the need for hardware keys such as the ones made by Yubico, at least for individual users. Do you agree?
You didn't discuss the most important issue: compatibility with web sites that the individual needs to use. The much larger challenge is for web sites, enterprises, services, etc. to adopt a given mechanism for individuals to use for 2FA. What good is any of these security keys of web sites don't offer it as an option for 2FA? At the end of the video around 17:00, you briefly discuss this, but you could enhance the discussion by addressing the various protocols and the problem that, even if a web site offers security key 2FA, the problem is compatibility and support of specific systems and protocols.
at 16:41 you say that if your key is lost/stolen, you just log into the affected accounts and delete that key. So I assume you have to use the backup key to log in, right? Thanks.
Hi, thanks for the video. I would like to mention though that I come from Instagram and the title of your videos did not make it easy to find the one I was looking for 😅
the problem that render this keys unless is that when You get your session cookie after you do your MFA. If your session cookie is long-lived, and the adversary steals it, then they can impersonate you without compromising your MFA.
Thanks again for the great information! So do I understand that correctly that to back up your login method in case you lose/break your key, you still need a different (ideally 2FA) method to log in? (Be it another key, TOTP etc)
Yes. Backing up your 2FA is indeed a problem few people talk about. This area is where authenticator-apps based schemes actually have an advantage: most offer to back up your set of TOTP settings & secrets automatically & regularly. However, those backups have to be stored in a safe way, too. As for hardware tokens: I have several friends that actually have two sets of tokens: one for daily use, carried around with them; and another one for backup purposes, stored somewhat safely but still easily accessible. For each new site they want to access they enroll both hardware tokens. If you don't have any type of backup of your 2FA device/software, you implicitly rely on the site's password recovery functionality - and all the insecurity that might entail (mostly a question of how secure your email account is). Then again, I don't know a lot of sites that actually allow you to disable password recovery functionality for your account. It's all a bit… meh.
Good idea, perhaps I'll put out a supplementary video. In the meantime, whichever account you want to add this 2fa for, go to the security settings for that account, and it will tell you whether they support security keys or other 2fa methods!
What if my email is MSN and not Gmail AND the email is hidden in a Password Vault? AND, what if I want to only use a Security Key for the iPhone and NOT the Desktop Computer?
Actually Yubikey BIO supports only U2F and FIDO2, its Security Key with biometric scanner in nutshell. Bad thing is that ALL this videos - they only tell about Yubikeys. While there is enough of other vendors.
Minute 16:30 if someone steals my bag that has my laptop and authentication key. How can I log into my account from somewhere else when I don't have the key and I didn't make a backup?
Why do all UK Banks insist on using text messages to send codes to the same phone the App is installed on. You have to use codes they send by email or post to register.
I completely agree with this video. I setup a security key 4 years ago; plus a spare along with a security key compatible password manager. No regrets so far.
I'm glad you focused on just one product. I'm "technologically challenged" and information overload is a real problem for me.
Great content as always Naomi.
It's a fantastic service you are providing explaining how to secure our online transactions & keep our information safe.
Please keep up the great work you do 😊
Greg
Public key security is awesome. Phil Zimmermann and others changed the world. God bless them. God bless you and your team, Naomi. You bring good knowledge to many seekers. Thank you.
Agreed, public key cryptography is amazing. Phil Zimmerman is a hero.
I appreciate this video about security keys, you made it seem very simple. I think I am finally convinced to take the plunge, although password managers and security keys seem harder to implement when families are involved with shared passwords and access like they are in my household. I guess that sharing just makes the security more important, but it requires changing some habits as well as adding some new technology like security keys.
Oh passwords managers make it even easier for families because you can share passwords super easily!
That's only one thing I can say about this video, AMAZING, I have never thought about security on that way, it's shocking when you realize that you're unprotected
I have thought about this level of security for quite some time. After this review, I think it’s an important addon to consider. I think I will order a Yubi
I have used yubikeys for years... Everyone should do the same, in fact some of my relatives and friends are going to receive yubikeys as Christmas' present.
Thank you sooooo much for doing this video! I use 2FA on my of my accounts but my old email was hacked recently, and it was devastating. I saw this security key option on some accounts, but it was very confusing. I will be ordering one of these options directly from the supplier tonight. Thank you again for helping to keep us safe.
💛
my bank has rescinded email and landline options for receiving verification codes and will do so only on smartphones
@@edwardmacnab354 : The problem with have a code sent to a smart phone is, if I am outside my home country I don’t use my phone because of the high roaming cost.
I once had to open my phone, in a different country, and after being closed for a month I received hundreds of emails and notices that were “parked” because the phone was closed. It cost me a fortune just to use my phone for five minutes. With email, I can use WiFi on my iPad to receive the authorization code without any cost. Using your cell phone is fine if you are within your provider’s territory.
@@Itsme-vo4fx I have two situations where my bank AND microsoft on windows 11 will not allow email or landline but only text and I do not have a mobile device that receives text. I have a landline that does not do text . Also, thanks for the heads up on that "parked" dam burst overcharge situation . with the backed up email . Terrible !
Naomi! I love your videos on security issues, always well researched and clearly presented. I’m hoping you will do an in depth video on PASSKEYS soon!?!? any clues as to when we can expect this?
🙏
Another great video to get my head around. Thank you Naomi
Very helpful. Thank you.
This channel is a blessing. Your videos are amazing! ♥️♥️✨
Great video. I have been using Yubikey on critical accounts for a while now and it helps me sleep at night. Still shocks me that Bank of America only allows 2FA via SMS or email. I have written the angry emails but they don’t care.
Every bank I've used has only ever allowed SMS as 2FA. It REALLY makes me mad, and I don't understand how institutions that handle sensitive, financial information don't have security keys or, at the very least, OTPs as a method of 2FA.
Financial institutions (like banks and credit card companies) are notorious for not supporting physical keys as 2FA.
Bank Of America does support Yubikey.
What happens when the security key malfunctions? To fix this two or more security keys should be made registered where either one of them can be used to unlock the user from the mess.
I was also worried about this... What if I loose it, or it is damaged... Will I be locked out of my accounts?
Naomi didn't mention if there was a seed phrase or something similar to use to recover if those scenarios happen.
That's why they said to get multiple keys. Having a seed phrase somewhere is a risk. If one key breaks or gets lost, you can use the other. If you register multiple keys to an account, you can use any of them to access it.
@@TMOC1977 That's why she said you need to get a minimum of 2 keys
Naomi represents greatness.
Excellent video and couldn't have come at a better time as I've just received a set of security keys but have not set them up yet.
I have read online of people using the same code to register their main as well as backup keys while in the video, the backup key is registered with a different code from the main key. Maybe seasoned security key users here might be able to comment on which method is better? Or maybe it doesn't make a difference?
Thanks Naomi. Looking forward to your open source comparisons and options. Assuming Nitrokey and hopefully soon Mullvad.
Hello. I go through google translate (sorry, I'm French): Thank you for your video which is very instructive. You demystify computer security.
Thanks so much for watching! 🥐
Thanks for adding actual captions for the Deaf
Great explanation Naomi!!
Brilliant so much information but very useful and helpful, thank you.
Very very useful info Naomi. Thank you. I think losing these keys are going to be a problem....
Make a backup!
Excellent breakdown of security keys
I too was also a Contractor for many years in the communications industry.
I literally got to install the very first real time Packet Sniffing Server on the West Coast of Canada Friday the 8th 2001. At that time the Co that i worked for handled about 99% of the Data on and off Vancouver Island British Columbia Canada.
The Black box was mandated to be installed in every head end in Canada that sold the internet or lose the ability to sell the internet. Mandated by the CRTC just before 911. Funny part of that story i helped install that Black box Friday and then Tuesday this group of people flew planes into building and life changed for everyone almost instantly. Pretty funny story when only a couple of us new that 1/2 mill box was sitting in our head end. The going joke back then when someone was standing next to it.. We would mutter.. That's one hell of a Black Box.
As of late we have been told that the federal police in Canada's Communications network is now compromised by overseas Countries, last week we were told that all Video surveillance security devices in North America also compromised. My bet is not one chip shipped in the last 50 years would not pass the new inspection process. Pretty funny story Bro.
What's CZcams doing not recommending this channel all those years?
Great video Naomi, Yubico, what a great explanation......Thank you!!
Great video! Thanks to you and Yubico.
When you talked about TOTP you could have referred Aegis OTP android app, It's Foss! Great work regardless!
Thanks...I got a Yubikey a couple of years ago and it wound up being more of a pain than anything else. Not really the key's fault but the number of websites that didn't support 2FA via a security key. Most of them did support one or more authenticator apps so that is the way I've gone when I could and SMS when that is the only thing available. Now If I could just get the rest of them to move away from re-Captcha
Yubikey 5 supports TOTP, which are the authenticator app codes. You can use it those as long as you have the Yubico app that supports them.
That being said, I still think even the more basic Yubikeys are worth it for protecting your most sensitive accounts (email, password manager, bank if you can). Even if most regular things don't support it, the important things do, and that's what matters imo.
You are the BEST Naomi !!!
Great idea, too much trouble, all my users forget or lose their keys unless you tie it to them.
Also it better be frost, heat, and water resistant.
I been using them for years love these keys, btw love love your channel.
I'd always thought it was strange that asymetric keys weren't used for web site authentication. It's nice to know this tech is now being utilised.
It already does. Web sites now use https and it uses public key cryptology to prove that you are connecting to a site that it claims to be.
@@catchnkill Yeah that's not what I meant. I meant that you can't register to a site by giving them a public key so then only someone with the corresponding private key could then login to that account.
Great video. Thank you!!
Reflections and observations....
1) Showstopper bugs as more of these are deployed. Emergency patches for your little key.
2) Your primary and backup both get stolen/damaged/lost, especially when traveling internationally.
3) The joy of dealing with logins when traveling after both keys, for whatever reason, choke.
4) Designing security that relies on cheap, fragile dubious hardware.
5) Hacks to work around the root cause, which are operating systems that have horrible, creaking architectures baked in which invite endless flaws and bugs (0 day exploit du jour).
6) Making the login process so tedious and annoying that people just start avoiding doing business online as the overhead, stress and drama is intolerable.
7) You need a trusted friend or family member to log into your account during an emergency (like being detained by authorities in some borderline police state) and they have confiscated your keys. You are so screwed.
The examples given above are all based on real events encountered over the years in my job.
I've been in the computer security business for a long time. It continues to devolve. Hacks on top of hacks.
I'm halfway through Cory's "Attack Surface", so I'm inclined to believe you.
Plus the other peeps above who mention the Security Keys are only ever an "option" for websites, with the fallback being phone text or email, which seems to render these keys of very little actual use.
Please start a channel ! ALSO--- I'm going to use phone text verification for all my online banking transactions , it seems reasonable but then, the bank gives me no other option anyway. I cannot say how well this works as I haven't even set it up yet . I wish I could just mail cash to people , far less risky !
Great video, lots of useful stuff, thanks
Naomi Is Awesome! Thanks for The Insights and Tips. I've learned A Lot watching Your Videos. Thanks
I allways wanted to get a Key, but was overwhelmed by all the information, thanks for clearing this very important topic for nubs like me greeings form Switzerland
You can't state it enough. You need to be as secure as you can make yourself online. No one is going to take care of your online presence if you don't do it yourself. You may be just one fish in a huge ocean, but there are many people just looking for an opening to take whatever they can get from as many people that they can to benefit themselves. So, using any extra security just makes sense, even though it may be sometimes annoying to have to use it.
Once you start using extra security and get used to using it all the time, you will not notice that inconvenience anymore. It'll just be habit.
Great info. Thank you Naomi.
Excellent information!
Loved you honest and easy to follow video , thank you ❤️
Very informative, thank you
PIV is definitely my favorite way to authenticate...
And I'll see myself out now.
Nice content👍👍 can you secure a computer or mobile device operating system with a yubico key
Thanks for your expert research and information! ❤
Make a video about Google authenticator. Because Yubico key it's not selled in my country : (
I like this vid. Good insight.
Hi Naomi, best 2fa for iPhone, many options, don’t know how to choose. I’m little slow😂😂😂😂thank you
As far as I know, banks in India provide only SMS based 2FA, which is highly insecure and most government bodies don't have any form of 2FA at all. If they do, it's only SMS based 2FA again. 2FA and security in India really needs a big boost.
Banks everywhere are notoriously awful with customer security options
Thanks
Thank you so much for your support, it's so very much appreciated!
It's the best 👌 thanks alot
Great video!
I have a variety of devices on several platforms and the one that makes me hesitant about the YubiKey is the support for USB-C iPads isn't great. It's an Apple problem, not a Yubico problem, but still something to consider.
GREAT INFORMATION!👔😀
SOOOOO helpful!
My social media is always protected.
I lose my car keys...can't imagine carrying a Yubi key. 🔑
Do you lose them just in your home or everywhere you go?
This is why you never buy just one, buy at least two, personally I have 3. Keep one spare at home and the other at a trusted family member’s home
@@kimsvendsen chances are your SMS codes are more likely to get hacked via sim swap or clone rather than hassles of these keys
@@speedracer9132 fact is, as much as we like to think hacking is solely technical, hackers always go for the lowest hanging fruit.
Some countries have much stricter regulations and invasive identity checks for SIM registration like compulsory in person checking, (though easily beaten by corruption.) Even then, pickpocketing and theft are more common, making an authenticator app or sms more safe in these cases. Hell sometimes you can't even buy genuine hardware keys without insane tariffs & markups as an individual.
This is why threat modeling is necessary. In edge cases, fundamentally more secure options can end up being less optimal.
@@kimsvendsen Loose 1 key still have your hardware YOU can remove the lost one, but if they get in your house and stealing all together you maybe right I dont know, what I do know is SMS is weak and easy to intercept. Conclusion, maybe you need to look a better way for 2FA sms? Solution, I dont know what is the best and most secured way. It depends personal and in wich case because we use all different senario. That is why for example a Yubikey has not just 1 kind of key, but many to choose from.
Very interesting videos about security. I have one doubt though: I feel these keys are really secure against online threads, but aren't they much less secure physically? I mean, what if your children take it while you're sleeping to buy stuff online? Or worse, why if during a break at work, you leave it plugged in your laptop and a college or boss use it to spy on you?
My examples are quite simple, but I suspect there're some potential risks there, at least from a first look at it.
Well even if they had the yubikey they would need to have access to your open computer with an open email right? Just remember to log out and it is fine.... And if this still concerns you, get a bio yubikey that requires a fingerprint too
I use these yubikey security keys and they can be a hassle to use. Especially if you want to make a backup key later.
Can you make a video privacy focused NAS/Home cloud storage.
they are quite expensive, but worth it
With the increasing number of websites that mandate you to download an app on your phone, and then scan an on-screen QR code for authentification, there needs to be a safer alternative for those who don't want the risk of a phone app. One better way of doing this would be a dedicated device, or just an updated login key device, that would have a camera that would allow to scan on-screen QR codes.
Let me know when they wtk on banking sites
I got 6 yubikeys, 2 security keys, 2 Yubikey 5C NFC USB-C and 2 Yubikey 5C NFC FIPS 140-2 USB-C. Not gonna lie it’s very addictive!
I'm using Google titan keys , with Google advanced protection enabled , I found yubi to be a bit tricky on android
I use my Yubikey 5 for my Windows login also.
Now if they could make one with builtin key fob ability and schlag door locks that support ncf and fido and then just slap an airtag key chain on it and it would be the only thing and your phone you'd have to go out the door with.
The main problem of these keys is that 1) it's physical, 2) you becomes a kidnapping target, 3) a criminal can cut your finger off to get easy access to all your accounts. And since these devices uses biometric data, it can be easily spoofed since apps like tiktok among others already have your biometric data (eyes, face and fingers). Another big issue with "security keys", if your biometric data leaks out, I can use that to have access to ALL YOUR ACCOUNTS.
When your password leaks out, all you have to do is to change it. When your biometric data leaks out, what are you gonna do? Change your finger/eyes/face?
These devices might look secure but ISN'T.
There is no biometrics involved in Webauthn. Its public keys.
I saw many times how many people advertise those keys as "best" security, but I doubt they are best...
I THINK this dude might just be trolling, but just to clarify for anyone reading this: With the exception of a few specific models of Yubikeys that do have a fingerprint reader, MOST of those security keys shown in this video do NOT have fingerprint sensors. Those circular gold contacts you see are simply just capacitive buttons to press in order to verify a human being is there using it on purpose. No biometrics are involved unless you specifically buy a Yubikey model that has one built-in.
i saw a project a long time ago about fake fingers that can trick biometrics into thinking its a real finger(and be registered as a valid finger) that way you can have biometrics without using any of yours, you can even go further and register one of your real finger as a panic button if you are held at gun point or someone use either your finger or a copy of your print so that either the device get cleaned or open a session with all you encrypted data hidden via steganography depending on your treat models( e.g you live in a nation-state where you don't have a right to not self incriminate)
Although it's true that being a physical item makes it vulnerable to losing it or getting stolen, this is basically the same as your other physical keys as well (from your house or your car). Because of that it's recommended to have more than one key, so you don't lose access to your accounts.
And you're wrong saying that if you someone steals you key, they get instant access to all your accounts. This is an additional layer of security (unless we're talking about passwordless, but the implementation is very limited for now), they still need to know your password, and unless you use the same password for everything (bad idea btw), they still have "work" to do before owning all your accounts.
And about being a kidnapping target only for using security keys, that doesn't make any sense. Nothing prevents that someone kidnap you to force to give them all your credentials and money or extort your family to getting more money, but they also get exposed to getting on jail. Most of the security attacks are done remotely and on a large scale (not diriged).
If an online service (primarily banks) only offers Email or SMS for 2FA, would Email be the better choice if it's locked down with a Yubikey?🤔
A service locked with a yubikey is going to be better protected I would presume
Now you have to use passkey in Google so how do I go back to only using a security key.
Thanks!
Wow thank you so much for your support!!
It seems like the Webauthn passwordless technologies such as Apple Passkey eliminate the need for hardware keys such as the ones made by Yubico, at least for individual users. Do you agree?
You didn't discuss the most important issue: compatibility with web sites that the individual needs to use. The much larger challenge is for web sites, enterprises, services, etc. to adopt a given mechanism for individuals to use for 2FA. What good is any of these security keys of web sites don't offer it as an option for 2FA?
At the end of the video around 17:00, you briefly discuss this, but you could enhance the discussion by addressing the various protocols and the problem that, even if a web site offers security key 2FA, the problem is compatibility and support of specific systems and protocols.
So where are all of the follow up videos going over keys other than YubiKey and Fido2 authentication???
I heard they dont work on banking sites. Is that true?
Do you need multiple physical keys, for example, if you had more than one twitter or gmail account?
What if Last Layer would have Weakness for messing everything around and no point for previous Inputs?
The only issue is that not many websites use these hardware keys so its very limited.
Can using a security break siloing/isolation by being linked through the Key ID?
Yubico's website suggested the bio series don't have PGP. I'm confused.
at 16:41 you say that if your key is lost/stolen, you just log into the affected accounts and delete that key. So I assume you have to use the backup key to log in, right? Thanks.
Would be even better if they allowed people to choose this as the first factor of authentication before the password can be tried.
You look amazing without glasses.
Hi, thanks for the video. I would like to mention though that I come from Instagram and the title of your videos did not make it easy to find the one I was looking for 😅
So two or more keys can be tied to any one account at any one time, and any one of the keys can grant account access?
the problem that render this keys unless is that when You get your session cookie after you do your MFA. If your session cookie is long-lived, and the adversary steals it, then they can impersonate you without compromising your MFA.
Your phone maybe that device where you tap: "yes" to login, why one more device? Phone 📱 requires user presense too.
Thanks again for the great information! So do I understand that correctly that to back up your login method in case you lose/break your key, you still need a different (ideally 2FA) method to log in? (Be it another key, TOTP etc)
Yes. Backing up your 2FA is indeed a problem few people talk about. This area is where authenticator-apps based schemes actually have an advantage: most offer to back up your set of TOTP settings & secrets automatically & regularly. However, those backups have to be stored in a safe way, too.
As for hardware tokens: I have several friends that actually have two sets of tokens: one for daily use, carried around with them; and another one for backup purposes, stored somewhat safely but still easily accessible. For each new site they want to access they enroll both hardware tokens.
If you don't have any type of backup of your 2FA device/software, you implicitly rely on the site's password recovery functionality - and all the insecurity that might entail (mostly a question of how secure your email account is). Then again, I don't know a lot of sites that actually allow you to disable password recovery functionality for your account. It's all a bit… meh.
@@mbunkus Oh, I didn't even think about the password recovery options, thanks a lot for your insights!
Can you show us how to set it up? It’s hard to understand
Good idea, perhaps I'll put out a supplementary video. In the meantime, whichever account you want to add this 2fa for, go to the security settings for that account, and it will tell you whether they support security keys or other 2fa methods!
What if my email is MSN and not Gmail AND the email is hidden in a Password Vault? AND, what if I want to only use a Security Key for the iPhone and NOT the Desktop Computer?
Actually Yubikey BIO supports only U2F and FIDO2, its Security Key with biometric scanner in nutshell.
Bad thing is that ALL this videos - they only tell about Yubikeys. While there is enough of other vendors.
Minute 16:30 if someone steals my bag that has my laptop and authentication key. How can I log into my account from somewhere else when I don't have the key and I didn't make a backup?
Is the Google Titan key good?
2FA usually requires your phone number, this way they can link all your accounts together.
Single point of failure.
@@wakaneut , caused by all banking institutions insisting on phone number for authentication.
This video is about security keys, not phone numbers.
Yeah banks suck at security on their websites.
Where do i make the purchase for those security keys? 😮
If someone gets hands on your security key( yubikey) can it be modified?
Why do all UK Banks insist on using text messages to send codes to the same phone the App is installed on. You have to use codes they send by email or post to register.
SMS is the worst and weakest form of 2FA and its miserable that banks of all places use that method.
can i add yuby key on to the trezor?