Very clear walkthrough and demonstration of the process. Thanks for making the video. However, having seen the process from start to finish like that, I'm struggling with one thing: yes, it might be a very secure process from a remote attack point of view but it's surely weaker in terms of a local/physical attack. Using a Yubikey (or similar) security key as a second factor, an attacker would need the following to gain access to your account: 1. Your username (let's assume this is well known or at least very easily guessable; not a secret at all). 2. Your password (obviously the strength of this depends on the actual password in use, but hopefully it's at least reasonably good). 3. Your second factor. When using a physical key like this, my understanding is that it's as secure as a passkey insofar as nobody is likely to be able to compromise it remotely. So they'd need the actual key itself as well. However, using a passkey, they'd only need 1 and 3. They'd also need the PIN for the key but having watched your video, I assume that's just a basic numeric key (you used six digits). Not nearly as strong as whatever your actual Google account password would have been. So surely now your account is only as secure as your Yubikey is. If you drop it, lose it, leave it unattended on your desk in the office accidentally, get mugged, whatever it might be... you have given up a very large proportion of the protection on your account and you'd need to get into your account and revoke the passkey ASAP. Whereas in the same scenario using the key as a second factor, you'd still be relatively well protected by your actual account password giving you a little more breathing space to get logged in and revoking the second factor for the now-lost-or-stolen Yubikey. Everyone keeps talking about how passkeys are the best of the best security-wise, so I wonder if I'm somehow missing something?
I see where you're coming from and I think it needs some more investigation in to that to be honest. I like everyone am still quite new to Passkeys and I'm still I have to say using the older methods for logging in to accounts, although I do have a few passkey ones but not many. I think I will wait to see what happens with other web providers and how quickly they all move over to Passkeys - if they do. Before I am totally convinced, like yourself I guess ?
Thanks for the video, no complaints on that. If anyone is thinking of getting these, forget it. Hard to set up and even harder to get them to work on the things you want to protect. If this was a good product it would be plug and play, this key is simply a good idea wrapped in a terrible product. I've seen 10 videos now and can't get this to work with any websites.
I have had a very similar frustrating experience - They are most definitely not easy to set up or manage - My FIDO2 Pass Code became corrupted - and their help line was useless in helping me to resolve the problem - I don't think the guy on their helpline actually understood the damned thing - I have, like most people, only an average ability as far as computer technology is concerned - but Yubioco thinks that everyone uising their product is a computer technician. Its like buying a new car - you know how to do the regular maintennance - but if you bought a Yubico car they would expect you to be capable of re-building the engine and checking the gapping of the piston rings ! There must be other products out there which are more user friendly !!
@@peterd.1165 I agree with what you said. I don't like to leave a negative comment, just trying to warn people about this before wasting their money. Like I said, a good product would just work when you plugged it in. Imagine buying an Iphone, and you had to do all the programming to make it work.
@ecu4321 - Thanks for your comment, yes you're correct in that the Security Keys do support FIDO2 Passkeys. I will be doing a video soon about selecting keys.
Hi there, the pin is the pin for the Yubikey itself and not a pin for the passkey(s). So the pin is tied to accessing the yubikey. Hope that makes sense, so yes the former per your question.
i bought a series 5 and only seldom use. how the hell google make it into a passkey? and limit to 25/key? before that i think i could link unlimited accounts. why go backward?
True, it's just a personal choice in the end really. I just prefer some physical device to store keys/authentication rather than storing things in the cloud. I am also waiting until most of my accounts use PassKeys before I totally go over to them for logins.
Really, that's better then, although according to what I researched on the Yubico website it can only stores 25 individual keys, google search reveals this too. Do you have a link for your info ?
@@IssacBerry-nd8pt Oh right, that's way because of running a VM. I didn't realise you were running a VM. Anyway at least you've resolved the issue now, great work!
Thanks, Tim. I have been trying to install my YubiKeys for 2 weeks unsuccessfully. Your instructions have been the easiest to understand. Thanks!
@ritagraham6703 - Oh wow, so pleased you found my solution and that it's worked for you too. Thanks for the feedback😁
@@MrTimTech2022 I haven’t implemented your instructions but will do so soon. 🙏
Very clear walkthrough and demonstration of the process. Thanks for making the video.
However, having seen the process from start to finish like that, I'm struggling with one thing: yes, it might be a very secure process from a remote attack point of view but it's surely weaker in terms of a local/physical attack.
Using a Yubikey (or similar) security key as a second factor, an attacker would need the following to gain access to your account:
1. Your username (let's assume this is well known or at least very easily guessable; not a secret at all).
2. Your password (obviously the strength of this depends on the actual password in use, but hopefully it's at least reasonably good).
3. Your second factor. When using a physical key like this, my understanding is that it's as secure as a passkey insofar as nobody is likely to be able to compromise it remotely. So they'd need the actual key itself as well.
However, using a passkey, they'd only need 1 and 3. They'd also need the PIN for the key but having watched your video, I assume that's just a basic numeric key (you used six digits). Not nearly as strong as whatever your actual Google account password would have been.
So surely now your account is only as secure as your Yubikey is. If you drop it, lose it, leave it unattended on your desk in the office accidentally, get mugged, whatever it might be... you have given up a very large proportion of the protection on your account and you'd need to get into your account and revoke the passkey ASAP. Whereas in the same scenario using the key as a second factor, you'd still be relatively well protected by your actual account password giving you a little more breathing space to get logged in and revoking the second factor for the now-lost-or-stolen Yubikey.
Everyone keeps talking about how passkeys are the best of the best security-wise, so I wonder if I'm somehow missing something?
I see where you're coming from and I think it needs some more investigation in to that to be honest. I like everyone am still quite new to Passkeys and I'm still I have to say using the older methods for logging in to accounts, although I do have a few passkey ones but not many. I think I will wait to see what happens with other web providers and how quickly they all move over to Passkeys - if they do. Before I am totally convinced, like yourself I guess ?
Thanks for the video, no complaints on that. If anyone is thinking of getting these, forget it. Hard to set up and even harder to get them to work on the things you want to protect. If this was a good product it would be plug and play, this key is simply a good idea wrapped in a terrible product. I've seen 10 videos now and can't get this to work with any websites.
I have had a very similar frustrating experience - They are most definitely not easy to set up or manage - My FIDO2 Pass Code became corrupted - and their help line was useless in helping me to resolve the problem - I don't think the guy on their helpline actually understood the damned thing - I have, like most people, only an average ability as far as computer technology is concerned - but Yubioco thinks that everyone uising their product is a computer technician. Its like buying a new car - you know how to do the regular maintennance - but if you bought a Yubico car they would expect you to be capable of re-building the engine and checking the gapping of the piston rings ! There must be other products out there which are more user friendly !!
@@peterd.1165 I agree with what you said. I don't like to leave a negative comment, just trying to warn people about this before wasting their money. Like I said, a good product would just work when you plugged it in. Imagine buying an Iphone, and you had to do all the programming to make it work.
i've used a yubico Security Key NFC and was able to use FIDO2 Passkeys. I think it's not tied only to the 5 series.
@ecu4321 - Thanks for your comment, yes you're correct in that the Security Keys do support FIDO2 Passkeys. I will be doing a video soon about selecting keys.
Excellent video thanks
You're very welcome Steve 👍
Is the pin you entered when setting up the passkey is the pin/pass phrase for the yubikey or a pin per passkey. I assume the former.
Hi there, the pin is the pin for the Yubikey itself and not a pin for the passkey(s). So the pin is tied to accessing the yubikey. Hope that makes sense, so yes the former per your question.
Great thanks
No problem, you're welcome 👍
Great Video! Thx.
Thanks @maledven2622 - You're most welcome, glad you found it helpful😀
i bought a series 5 and only seldom use. how the hell google make it into a passkey? and limit to 25/key? before that i think i could link unlimited accounts. why go backward?
True, it's just a personal choice in the end really. I just prefer some physical device to store keys/authentication rather than storing things in the cloud. I am also waiting until most of my accounts use PassKeys before I totally go over to them for logins.
Token2 stores 300 passkeys
Really, that's better then, although according to what I researched on the Yubico website it can only stores 25 individual keys, google search reveals this too. Do you have a link for your info ?
no sh1t, not working for me. cant finish the process.
ok, i can add my yubico keys as passkeys in android phone. but not the win10+chrome
@@IssacBerry-nd8pt I presume you are using the same email accounts for the passkeys on all 3 devices. I would check the Yubico support pages.
@@MrTimTech2022 i sorted out... i have to directly run the portable chrome and NOT thru sandbox. solved thx
@@IssacBerry-nd8pt Oh right, that's way because of running a VM. I didn't realise you were running a VM. Anyway at least you've resolved the issue now, great work!