Pinning this comment so y'all can easily find my previous videos about Yubikeys! kzread.info/dash/bejne/qJ6Io5h9laefqZs.html I'm seeing the same questions several times and I answered them in this video!

Sadly MOST financial institutions do not support FIDO keys. As of now None of my banks nor credit cards nor retirement or payroll sites support hardware keys. But pointless sites like social media do...

@SaHaRaSquad

Жыл бұрын

That's the exact reason I haven't bought a Yubikey yet. My bank account is one of the least protected because banks ironically don't seem to be interested in proper security. The only account I care about which supports yubikeys is the email account, which is important but it's just a single one.

@paulbigbee

Жыл бұрын

Glad you made this point. Financial services have successfully externalized all of the costs to other parties, including us, their customer. Even Bank of America's WebAuthN implementation is pathetically lazy. By contrast, gaming companies have had to bear the burden of taking calls, creating tickets and recreating state in the game. In short, cost. So, they went looking for a better answer. TL;DR - incentives are for banks, sadly, to do nothing.

@TheCynysterMind

Жыл бұрын

@@SaHaRaSquad I would recommend getting the cheaper fido keys( you should have at least two.. I have 3) and experiment with them on a site you do not care about so you can test the ins and outs

@Tech-geeky

Жыл бұрын

That's because they gotta cater for everyone... The larger population of users, the less secure it will have to be.. We always cater for the 'bottom line' the least secure.... The reason why banks usually won't adopt better security is "Our platform doesn't support it", or "it will be too costly". I would say its about bloody time users got educated.... We all wank bank to stop scammers for us as well, but going "so far" with anything, will force users to be better. To me, that is a good thing You can't expect a business to hold ya hand 100%..

@TheCynysterMind

Жыл бұрын

@@Tech-geeky I am not sure I agree with your assessment. *That's because they gotta cater for everyone* Doesn't Social Media as well? If social media can manage to implement better security.. The banks should have no difficulty. And let us not forgot. This technology is available for those that want it. The broader clueless user base is not likely to forced to use this tech with obvious security benefits. But financial Institutions seem to be purposely taking steps that make accounts "Appear" secure without ACTUALLY being secure.

Great topic! I wish more companies would add this to their sites, particularly US Banks!

@Darkk6969

Жыл бұрын

I agree. My current bank only uses SMS which is insecure. Better than nothing I agree but at least offer Google Auth as an option!

@BioBrimm

Жыл бұрын

Yes! I was the victim of a SIM swap and haven't wanted to use my phone for anything since but am often forced to. Even though I invested in a hardware key, it's rarely an option on its own.

@briancarnell

Жыл бұрын

This is the real problem. So little support for hardware keys still.

@notreallyme425

Жыл бұрын

Nah, my bank just asks for my dog’s name. I’m sure that safe.

@gblargg

Жыл бұрын

@@notreallyme425 I generate random strings for each one of those. They are essentially passwords so you should make them secure.

Such a good video! Your work spreading knowledge on the greatness that is hardware keys (as well as your hard work in general) is very much appreciated.

@ShannonMorse

Жыл бұрын

I appreciate that!

@Blox117

Жыл бұрын

it should be a part of the device itself, inside TPM

@anamegoeshere

10 ай бұрын

@@ShannonMorse so once you fail IT and this platform, when are you making a o/f ?

Been following both this account and Sailorsnubs account for a while. Not only you just completely sold me on getting a personal hardware key but coincidently I am currently writing an essay about authentication vs. authorization for my cybersecurity class. I was just casually watching your up-to-date videos because I really enjoy your content! But when I heard you mentioned authentication / recent events and why Yubikeys are a must for 2FA. I was like wait a minute... Hold up! This is a good example for my essay! Write this down Write down! LOL Thank you for providing us important information! I will make sure to properly cite your video! Much Love

“Use the for your most critical accounts” Too bad most banks don’t support it. My bank just finally added support for TOTP. If it takes them the same amount of time to add support for hardware keys as it did for TOTP, it’s gonna be quite a long time before it happens. Hardware keys are king. I use them on any site that supports it. I also use them for ssh access to my servers.

@chrisguli2865

Жыл бұрын

I wish they did this for online (and offline) credit and debit purchases - fraudulent charges would go to virtually zero. So just having the card number and details would not be enough for a purchase to go through. Some banks have started doing something like this using virtual card numbers.

@azclaimjumper

Жыл бұрын

Bank of America, at present is the ONLY U.S. bank I know of that permit their customers to secure their accounts with YubiKeys.

I wish more sites would allow setting up more than one hardware key. I'm absent-minded and prone to losing things. For every site I have a hardware key on I also need to leave TOTP enabled just so I don't lock myself out of the account by losing the key.

@Tech-geeky

Жыл бұрын

That's funny ... We have security in the use of hardware-keys, but then we make security less useful by having "multiple copies' where 'others' can get at them as well.. we THINK its safe, but its not. ideally i'd be more worried if my backup will be safe.. Just because we think its secret, doesn't mean it is... particularly when we do not have physical access. and its stored "off site" Makes it THAT much easier for others to get.. If people are determined, they'll get it Look at what happened with Lastpass... but it can happen anytime to any company.... ExpressVPN too.. But we always like to trade for convenience. We Need to change THAT. And until we do change, getting at security stuff will always be a problem.

YEP! the Physical is the way to go ! Don't forget to use generated passwords too !

@Tech-geeky

Жыл бұрын

heck... should never be "option". Generated passwords ought to be required. but alas, we have to cater for websites still that will never be 'as secure' as others.. Again, dragging through the dirt..... there is no solution .. You can have a really good password, but if the backend is weak, its not gonna matter. Anything IS better than nothing, but is it really worth it if it not gonna protect you anyway?

Great overview! Thank you, Shannon!

TOTP keys in a 2FA app are not sent to you, they are generated based on the initial seed code which you get by scanning the QR code. A 2FA app is therefore more secure than 2FA via SMS or email

@SgtKilgore406

Жыл бұрын

I'm surprised OP missed that. I don't consider SMS or email as 2FA. All my 2FA are TOTP keys which as you said cannot be intercepted provided you are smart with your secrets. If it wasn't for my aptitude to lose things from time to time I wouldn't be as afraid to invest in physical keys. At this time I see it as too risky to use a security device that small and potentially that easy to lose.

@joseabraham777

Жыл бұрын

But what happens if I lost access to my phone? The websites offer an easy way to restore my logins? I have that doubt :/

@ericdere

Жыл бұрын

@@joseabraham777 There are two possibilities: - you backup your 2FA data in the app to the cloud - you use recovery keys which you can get from the site you login to (do this before losing your phone)

@buffalo_wings8224

Жыл бұрын

@@ericdere Please help me understand how these recovery keys don't completely undermine the concept of 2FA. A brute force attack can penetrate the static recovery keys even when the website tries to circumvent. Most of the recovery keys I have seen are 8 digits long max and the sites don't lock you out after multiple tries. Sometimes the recovery screen defaults back to the username/PW login screen after several failed attempts, but a crafty hacker can automate the brute force attack. At the very least, the recovery codes provided should be much much stronger.

@Tech-geeky

Жыл бұрын

still depends on weather people keep their device up-to-date and app(s). Apps depends on operating system and therefore device.. QR codes are not perfect either. and i wouldn't really reply on them for security. TouchID is better. Its all a stepping stone... How secure do you wanna be ??

Just found your channel, listened to 3-4 video in a row and i suscribed! Very good content and very well vulgarised/explained while maintaining some technical information for more tech savvy people! Good job!

@ShannonMorse

3 ай бұрын

Hey welcome to my channel! I'm pretty active with the community here if you ever have questions or just wanna say hi 😄💓

This episode reminds me of that famous Hootie and the Blowfish song: "Every Time I Touch My Security Key, I Log In".

For me, no linked videos at the end. Not sure what happened. Thank you for this content. You are the second person this week that I have seen addressing this topic. Each presentation was different, and yours more in depth on the physical keys. Thanks again.

Hardware keys are a great idea in principle - but in reality, for large companies can be a nightmare to manage. Users lose their hardware keys or forget and leave them at home - so you security team is constantly issuing new keys or temporary keys. That is why phone auth apps reign supreme. Even the worst user will always remember their phone. Normally when I do 2FA deployments - I do phone apps as the primary option with yubikeys for those users who don't want o use their personal phones.

@BDBD16

Жыл бұрын

What about those non smart phone users....yup...encountered it before.....

@feargalledwidge806

Жыл бұрын

@@BDBD16 That's why phone apps are the primary option - but not the only option. For people without smartphones or who don't want to use their personal phones - the a yubikey covers those cases.

@tudalex

Жыл бұрын

Hi, here is a simple trick. Give them the micro keys that will always stay plugged into their laptops/workstations. If you are trying to protect from stolen laptops, configure the yubikeys to also ask for a password, not just a tap. Another way I’ve seen it done was to suggest them to have them attached to their badge keyring or home keys.

@klwthe3rd

Жыл бұрын

I couldn't agree more. I work in IT Security and if you read my posted comment, it talks about people losing or forgetting their keys everywhere but on them.

@esquilax5563

Жыл бұрын

Who are these people who are going to work without their keys?? The whole idea of these things is you keep one on the same key ring as your house key, so you're essentially never without it

Great content Shannon! Super informative too!

Thanks Shannon, I bit the bullet and used the promo code. Ordered 2 keys, one as a spare. :)

@ShannonMorse

Жыл бұрын

Smart!!

Very insightful video! Btw I ❤your sailor moon shirt it compliments you and your setup beautifully ✨🤟🏾

I bought two yubikeys after watching your previous videos on hardware keys, I'm excited for them to arrive!

Great video thanks 😊 Shannon hope your well

Thanks for your content. Because of your explaning this over the yrs, I finally got my yubi key(s) several months ago along with setting up bitwarden and 2FA (at a minimum) l just wish more companies implemented hardware keys. Thanks again. 👍

@azclaimjumper

Жыл бұрын

YubiKey is required for me to log onto both of my computers (I don't have a so-called Smart Phone) BitWarden, GoDaddy, Yahoo, Google, Tutanota

Thank you for your knowledge, I've been on the fence about getting a yubikey and your video did it for me. I got a mini already and I am thinking about getting a 2nd one as a spare and for my mobile devices. i am having some problems getting It to work but i am sure ill figure it out eventually.

More great info. Long live Yubi. Thanks again for keeping us up-to-date on security news and info. =)

@myname-mz3lo

Жыл бұрын

or any other brand that does this lol

Awesome video, Snubs. I've been thinking about this more lately with what recently has come out with companies such as Tmobile and Bank of America.

This video came at a perfect time. I've been wanting to get a Yubikey for years but never got round to doing so. Now finally ordered one, thanks for the $5 off! :D

@azclaimjumper

Жыл бұрын

Do yourself a favor & follow YubiCo's STRONG RECOMMENDATION, go back & buy a 2nd Yubikey, incase you lose your first one.

Immediately after hearing your comment on art on the key, I grabbed mine and started looking for art supplies.

Wow, I am blown away by this post! The information provided is so helpful and informative. I never thought about it that way before. Thank you so much for sharing your knowledge with us. I can't wait to try out some of these tips and see the results for myself. Keep up the great work!

Any time someone talks about Yubikeys, that's an instant like from me. Great video, Snubs!

@ShannonMorse

Жыл бұрын

Much appreciated!

@mschwage

Жыл бұрын

Agreed. I was hesitant to get one... I didn't understand them, and I was worried I could lose one. So I bought two, eventually, and when I used them I was an instant convert.

@writingpanda

Жыл бұрын

@@mschwage I'm so glad you decided to invest in some Yubikeys! You're doing it right!

Thanks for making this video. But is there a way for someone to take our Yubikey and duplicate it? And if it is connected to the computer all the time (like the Yubikey nano) then is there a way to simulate the "touch" remotely without us having to touch it? Would like to know more. If you can talk about it, it would be great. Yes I am convinced that Yubikey is great, but what makes it unbreakable?

@ShannonMorse

Жыл бұрын

Hi! I mentioned cloning of keys at about 7:20 into this video 😊 you can also find the U2F standard info linked in my shownotes to read more about the in depth material on how this standard works.

@_BangDroid_

Жыл бұрын

It's only considered _unbreakable_ at this current point in time. Like all security technology, eventually it will be obsolete.

@johnhaller5851

Жыл бұрын

You can reprogram the key. It comes with a key, but obviously, Yubico knew it when it was programmed, and could program a second key. Reprogramming the key requires generating new random numbers. I have two keys I programmed myself, and the generation was done on an air-gapped Raspberry Pi. But then, I need to provide the public key I created to anyplace I want to use it. I'm not sure if using the same physical key for multiple web sites causes problems or not.

@_BangDroid_

Жыл бұрын

@@johnhaller5851 It may only cause you problems if you want to keep one account isolated from another, eg you use the same key linked to your identity as one you used as a whistleblower. In that scenario the public key will link the two accounts, if I understand things correctly.

Hardware keys are useless, try to lose one and tell that to AWS or any other services that use on of those to see what happens, it is a stress you don't want in your life. In my case, I lost all my keys in a flood that destroyed my home, do not trust security hardware, use a password manager instead.

thank you so much. i definitely intend on getting one soon. 🔑

I have a question/scenario what about when we have automatic login for discord or slack is there an application that can you sign you out automatically so it’s not saved when you login/boot again?

Hi Shannon! Your videos are awesome. I would like to ask if few persons are using the same account, then should they have their own yubikey? or they can borrow it from me once i login to the account? Also does the yubikey needs to be injected on the device to stay logged in on the account? Thank you in advance!

I need this, couldn't have uploaded at a better time.

Shannon good video 👍👍. Can you use a Yubico key to protect a phone operating system.?

Did not notice this in the video, these security keys work with the browser so that if a phishing site looks similar to the real website it still won't allow authentication, because the domain does not match.

@ShannonMorse

Жыл бұрын

That's correct!

Great video, Shannon! Although I wish some companies would implement it fully rather than do it half-arsed. For example, some sites only allow 1 hardware key to be registered… By not allowing a backup key to be registered it just increases the risk of me getting locked out of my account if I lose/break my main key. Hopefully more and more sites will fix this issue in the future and it is videos like yours which will help increase awareness and adoption so that these problems are eventually solved ✊

@longlashcoffeecatcoffeecat7551

Жыл бұрын

We've seen websites that offer SMS and auth app. And the more rare SMS / key combo. If you're lucky you might get a website that offers one of each method or up to TWO keys. But, my favorite sites are the ones that allow you to use ALL methods and as many as you like. One change I would at least like to see is if you're required to have 2 methods to activate MFA, that you can use 2 keys and/or not have SMS be mandatory. But SMS is about "We know you're a human being"...at least that's what the American banks, etc, tell us. Are cybercrimes at the point where either phone companies or websites should be held responsible for sim swapping if SMS is the only 2FA method available? If the answer is "Yes", then what happens to users that refuse to use 2FA or websites that don't offer any? Like the recent password stuffing attack on PayPal.

@SgtKilgore406

Жыл бұрын

This is exactly why I stick with TOTP instead of pushing forward with hardware keys. I can't trust myself to not lose it and royally screw myself over.

@autohmae

Жыл бұрын

Yes, this is a big missing part. What they do often allow: a list of 'recovery codes'.

@AG-bp3ll

Жыл бұрын

@@SgtKilgore406 I totally agree with this. I can't have everything tied to a single key. These keys are tough but they can get damaged or lost. You either can't have a second key or you have to leave a backup to get in that someone could just use to bypass the key anyway.

@BogdanSass

Жыл бұрын

THIS! I don't know if they fixed it, but a while ago even Amazon AWS only allowed you to register one (ONE!) security key!

Make sure to periodically check (like every year) that your key is still accepted. I have one key from around 2017 that is no longer accepted for some services. While newer keys I got the past year or so have been

@ShannonMorse

Жыл бұрын

I do a yearly security audit to check for this. Good idea to have a different model backup key or to keep your backup codes handy in this case.

@martinlutherkingjr.5582

Жыл бұрын

Are they the same model keys?

@jedikv

Жыл бұрын

@@martinlutherkingjr.5582 No different models

Got 2nd physical key like a week ago (Kensington USB-C with biometric layer) and I love it. I was finally able to add key to Windows/Outlook account!

the yubikey code can still be intercepted on physical push. i tried this on myself in a browser while i had a prompt asking to tap my hardware device. if a threat actor is on your computer it can be intercepted.

One great use for hardware keys is for seniors. Some may not use cell phones at all and are still using land line. So this prevents many useable options (like sms, totp, cell phone itself, etc). Plus it's simple to use, and they don't have to constantly change their password. Dealing with senior who locked out of their account and educating them on this can be frustrating for you and them.

Fantastic shirt! As someone who stumbled onto the video randomly, that was quite unexpected. :D

First thing I noticed was the Sailor Moon Tee!! Love it!

How do you feel about authentication apps? My employer requires us to use one and that seems similar to me.

Can you explain the difference between something like Yubikey and EveryKey?

I picked a key up a long time ago. Didn't use it very much. Now I am changing my opinion. Now I just have to figure out how to activate it again.

Great video Shannon - on the subject of accidentally losing this key... what do you do then? Can you buy them in pairs so you always have a spare?

@ShannonMorse

4 ай бұрын

Hey, I did a video about this! kzread.info/dash/bejne/Yp2lkqSgma7Sh7A.htmlsi=bH7HqS8xGnVOAZZc

Thanks Shannon!

Just this week I have started gettng my team behind hardware keys great video to link if I start getting pushback.

@_BangDroid_

Жыл бұрын

You'll always get pushback, make it policy if you can

wish I saw your code before I bought them, but I will send it to my friend so you get credit for helping us secure our accounts!

ProTip: Don't keep your key / security dongle in the same place as your devices. (If a thief steals your purse or laptop bag and the key is inside it, they now have access to your accounts.)

@Ghoul847

4 ай бұрын

set up a pin, disable key 1 asap in account with backup key. A thief would need to know your usernames and passwords unless you have it setup where you can login just using a key then you’re screwed 😬. You really do need a second key in case of doubts

Thanks for this 🙏🏾

Thanks for the code! It works for EACH Yubikey you buy. Its best to buy 2 just in case you lose one and you wont get locked out of your accounts... I got $10 off my purchase. Thanks again Shannon!

@ShannonMorse

Жыл бұрын

Yesss this is the way!

What happens when you lose the Yubikey or it gets damaged?

@BDBD16

Жыл бұрын

Straight to prison.

@jamesphillips2285

Жыл бұрын

You really need a second one stored off-site in case that happens. (Or tedious one-time passwords also stored off-site.)

@Tech-geeky

Жыл бұрын

@@BDBD16 😆

@Tech-geeky

Жыл бұрын

Making it easier in case one gets damaged is not my idea of security..... Each to their own, i guess, but the more we have as "backups" the less secure we will be when they are found. We think we know where they are till someone finds them. There is no solution i think.. Constant game of cat'n'mouse... The % of someone else getting access will be small, BUT its still there.

I curious if theres a disadvantage or concern that should be considered when using the “Onlykey” over say the yubikey?

You can go one step further and get it as an implant. The key pair is generated on the chip inside your body

For all those who haven't seen or subscribe to the alliance for Responsible citizens check it out. A great start to ARC..... Thankyou Jordan Peterson and all the others involved in bringing this alliance to the world. This (ARC) is what we desperately need. Genuine facts and leadership. Now it is up to us, the public, to do our part. Spread the word, help grow the "Alliance for Responsible Citizenship", and do YOUR part to help bring about a better more positive world for all of humanity. Put an end to the distopian vision offered by the elites of Davos and the WEF gang. Bring individual Freedom and responsibility back to the forefront of a free and prosperous society. Thankyou.

Yeah. Companies should have this mandatory. No matter what job role.

@Lucy-dk5cz

Жыл бұрын

Absolutes are never the solution. The security required needs to be tailored to each specific case.

@Plexdet

Жыл бұрын

Example: someone who’s job is welding or some other construction work and they never need to log into a computer at work.

@klwthe3rd

Жыл бұрын

@@Lucy-dk5cz I agree. Well stated.

If you have multiple computers, do you need a seperate key for each device? What happens if the key stops working or is otherwise destroyed?

@azclaimjumper

Жыл бұрын

When paired, the same YubiKey can be used to log into multiple computers. If the key stops working you are screwed UNLESS you followed Shannons advice & YubiCo's advice & buy at least 2 Yubikeys.

hi I have 2 yubikeys that I used to lock my Apple ID, on my lap top! will that also automatically lock my Apple ID on my iPhone and iPad or do I have to lock each device with a yubi key? thanks for you great content.

Been looking at this for my personal computer. Work uses a RSA token (app based) and I was wondering how this compares to using something like a yubikey?

Great video. Great shirt!

Here is a strange question. If I set up my iphone to use touch ID or face ID, can I set the phone to use the yubikey if either of those fails or does it have to have a passcode? I am trying to prevent someone from stealing my phone, running away and unlocking it with my passcode and locking me out of everything. My thought is that if I use face or touch ID, if someone grabbed the phone and ran, if I had the passcode set to the yubikey, instead of a passcode, would it stop them from accessing the phone due to the fact that they don't have the yubikey? I know, its a dumb question.

Is there a hardware key that has a self destruct feature (like a button or switch to wipe/disable it)?

I have two yubikey which I didn’t registered them at the same time. My question is: can I register them (both) anew (at same time)? Thank you for your kind answer.

HI Shannon, like i mentioned in another video using your code i got $10 off because i brought 2 yubikeys!! but i brought these because i thought since this can unlock cell from camera scan vs usb plug into macbook air2 finger print. i dont want to set up through macbook with finger print to open my wallet and if i die my daughter knows my wallet password but doesnt have my finger print!! cant i set up yubikey through macbook air2 camera scan?? if so do you know safe QR code app that wont steal or store my code to steal my wallet?

Great video! Is it possible to use Yubikeys security key when physically paralyzed?

I'm trying to think through the scenario you described as the reddit compromise, which sounds to me like a mal-in-the-middle situation where the attacker convinced the mark to type in their TOTP code to the phishing site and then relayed it through to the target site in near-real-time. I watched the "debunking 5 myths", but this part still isn't clear to me yet: how does a key defeat that attack? does the protocol restrict the key from sending its response to a server other than the one designated for that account? How does that work?

@steamfox

Жыл бұрын

I was a bit surprised this wasn't mentioned in the video since it seems to be what truly differentiates a FIDO2 key from for example an auth app or a "legacy" HW key. In my understanding FIDO2 protocol does protect from this type of attack, making it an "unphishable" authentication method.

@gblargg

Жыл бұрын

@@steamfox How can they defend against this? The middleman essentially relays everything until validated.

@jamesphillips2285

Жыл бұрын

@@gblargg The middle-man uses a look-alike domain. So if the domain name is used in the challenge: the response won't be correct for the real website.

@gblargg

Жыл бұрын

@@jamesphillips2285 How does the USB device know where the challenge is coming from? Just forward the authentic challenge from the authentic site.

@jamesphillips2285

Жыл бұрын

@@gblargg Without getting into the standards documents (Apparently U2F was renamed CTAP is how far I got), the browser must pass on the web domain as part of the challenge.

Too bad hardly any sites support this kind of thing. Another version of this is something like Google's Authenticator. Run it on an old air-gapped phone. More things support this. A big problem with all these is account recovery, which uses alternate less-secure means. What happens if you lose the key or it gets stolen? How do you get into your account or stop them from doing so? If you can do either of these without the key, an attacker can do this to your account without the key. (I had to dumb this down because KZread was deleting my comment. I guess we can't discuss this topic.)

Great video- So how do you prevent Google from using sms from being used? You can do it with a work account but not in public account. Would you have to use Google advance protection program on your personal account in order to prevent sms. Then you can't use an authenticator app.

Really useful info. & I love your t-shirt! It's so cute

@ShannonMorse

Жыл бұрын

Thanks so much!

When it comes to Crypto hardware wallets most recommend going directly to the maker to purchase rather than a third party like Amazon (due to the threat of tampering etc). Would you suggest the same thing for Yubikeys?

Curious if I bought a USB a security key and wanted to use a USB a female to USB c plain jain adapter would this work or is it specific to the company

I was using a hardware key (can't remember which one) a few years ago, but it failed suddenly after a few months of use. I haven't tried another one since.

Hi great video!! Question how do you log into a website that doesn't use a key but wants you to use 2FA instead?

Will I be protected from session highjacking if I'm using a Yubikey as 2AF? It didn't get very clear if someone gets my cookies they'll be able do login even with the key. Thank you

good to set up a Voice Mail PIN too .

I would be using it, but most of the critical sites I use (like my banking), do not support it.

I've been nothing short of secure (and pleased) using my Google Titan key.

As I sit here in my living room, nodding my head in agreement to the statement 'hardware keys are a must', I look down and notice that I am currently wearing my green and blue yubikey socks.

So hardware keys aren't 2FA? Confused... I thought they were a 'second factor'

How would this UbiKey prevent from hacker who planted malware on your machine from intercepting key/generating more auths on your behalf?

Cool and all, but until the used 2fa protecable accounts/ total accounts', and Key protectable accounts/ total accounts' number does not increase, i can try to use these, but will not be able. Also some sites staight up using keys stupidly: Not as a second factor, but an alternative single, and i clearly see the possibility for that someone uses password only, and a key, and those are not protecting each other. OR i have to have an other kind of 2fa so i can use my keys, but the other kind is the baseline, and i manually have to change, at every login.

Thank you

What works for the gaming like steam and blizzard and Escape from Tarkov, and, emails and stuff like that without having 100 of them Iv been looking but I haven't been able to find one to know exactly what I need and didn't want to buy the wrong one please help me?

Hey Shannon will the Yubikeys work with iOS devices including iOS tablets

Oh thank God I thought I was compromised! I've had a yubikey for years!

Try using a hardware key without a mobile phone. Big Tech wants your IMEI number for authentication and cross device tracking - locking down the individual to specific hardware. Then there are the number of companies that simply don't support hardware token based 2FA. I know of one bank that doesn't even alow complex long passwords! A small amount of research seems to suggest that the reason 2FA is being advertised and pushed isn't for your security. It's for tracking who you are and what you do - especially those companies who don't allow 2FA without involving a mobile device

Hey if I used a secure key on google can I use that for a different service like apple?

Why do you need to fork out for those when you can use a cheap throwaway pendrive instead?...just need to point to the encrypted keys/login data on a specific port.

But the issue with most sites is that they let you bypass the hardware key easily, where you can choose the option to not use it, and then the site falls back to SMS or email code etc.

@ShannonMorse

Жыл бұрын

Depends on the site. Some let you do that, some let you turn off backup options entirely. If you turn off the backup options though make sure to print out the backup one time use codes they give you during setup

So when the key fails, as hardware does, are you locked out?

Can you make your own Yubikey with a plan USB? Or something similar

Can one key be used for several social media apps and emails?

Thank you!

Looks small, I'm usually pretty good at keeping up with things but once in a blue moon I misplace items especially small items thus I'm nervous of what might happen if I lose the physical key is there another method of accessing our accounts if we accidentally misplace it? regardless this is something I'll definitely look further into I have 2FA on all accounts but if physical hardware keys are safer I'm open to trying them instead. thanks for the info ✨🔐

@BryceKatz

Жыл бұрын

I keep mine on a lanyard, but yes, once you enable 2FA, most places will provide at least one "break glass" recovery code that you can use to authenticate if you lose your YubiKey. A lot of services also let you enroll more than 1 option, so you can use a YubiKey as your primary & an authenticator app as a backup. Ideally they'll let you enroll 2 YubiKeys: 1 for your "everyday carry" and 1 as a "break glass" backup - but that's highly dependent on the service in question.

@AlDunbar

Жыл бұрын

I'm wondering... if someone steals or finds a yubikey what other information do they need to use it to access your accounts? Can you repudiate a lost key, just in case, and then revert to your backup key? Of so, what other info do you need to know to do so?

What if you have employees at your organization who already detest 2FA / MFA. We're worried that if we give them a key they will just leave the key plugged into their work desktop or laptop docking station all the time. In other words what happens if someone just leaves their key plugged into a USB port every night when they leave work for the day. What about number matching MFA? I know number matching MFA isn't 100% secure either but it's probably a bit better than just MFA with an auth app or text message code.

@azclaimjumper

Жыл бұрын

Even if a person leaves the key inserted in their computer when they go home, someone else still won't be able to log onto the computer without the PIN & then they have to physically touch the Yubikey when asked to do so.

You mentioned behavioral authentication. I remember a few years back a service I was using would analyze the way that you type in order to determine whether it was you typing your password or not. Whatever became of that technology? Did it not prove reliable?

@DennisMathias

Жыл бұрын

Too replicable.

and yet none of these company's will ever allow these to be used with any product because they don't really care about your data and its security.

Overall, great video. Industry needs more adoption of these hardware keys. Just one nit though. The pattern unlock is not really behavioral authentication.. yeah, maybe if they implement it with more than just detecting which numbers were touched. Behavioral auth to me is more the like the key cadence measurement and mouse movement with detected reaction to small movement interference. They could do that with the number swipe pattern but how many implementations do that?

@JediOfTheRepublic

Жыл бұрын

No we don't. The industry just need to use proper MFA practices.

Shannon, I love my YubiKeys. What is that full callsign on the shelf? I'm a HAM Extra! And Ethical Hacker. Oh the fun we have on the air. LOL.