I'm glad you focused on just one product. I'm "technologically challenged" and information overload is a real problem for me.

Great content as always Naomi. It's a fantastic service you are providing explaining how to secure our online transactions & keep our information safe. Please keep up the great work you do 😊 Greg

This channel is a blessing. Your videos are amazing! ♥️♥️✨

I have thought about this level of security for quite some time. After this review, I think it’s an important addon to consider. I think I will order a Yubi

Great video Naomi, Yubico, what a great explanation......Thank you!!

Another great video to get my head around. Thank you Naomi

You are the BEST Naomi !!!

Brilliant so much information but very useful and helpful, thank you.

Public key security is awesome. Phil Zimmermann and others changed the world. God bless them. God bless you and your team, Naomi. You bring good knowledge to many seekers. Thank you.

@vacsimile

Жыл бұрын

Agreed, public key cryptography is amazing. Phil Zimmerman is a hero.

Great explanation Naomi!!

Great video! Thanks to you and Yubico.

That's only one thing I can say about this video, AMAZING, I have never thought about security on that way, it's shocking when you realize that you're unprotected

Loved you honest and easy to follow video , thank you ❤️

Naomi represents greatness.

I appreciate this video about security keys, you made it seem very simple. I think I am finally convinced to take the plunge, although password managers and security keys seem harder to implement when families are involved with shared passwords and access like they are in my household. I guess that sharing just makes the security more important, but it requires changing some habits as well as adding some new technology like security keys.

@NaomiBrockwellTV

Жыл бұрын

Oh passwords managers make it even easier for families because you can share passwords super easily!

I been using them for years love these keys, btw love love your channel.

Thanks Naomi. Looking forward to your open source comparisons and options. Assuming Nitrokey and hopefully soon Mullvad.

Naomi Is Awesome! Thanks for The Insights and Tips. I've learned A Lot watching Your Videos. Thanks

Great info. Thank you Naomi.

Very informative, thank you

Naomi! I love your videos on security issues, always well researched and clearly presented. I’m hoping you will do an in depth video on PASSKEYS soon!?!? any clues as to when we can expect this? 🙏

Great video. Thank you!!

Excellent breakdown of security keys

Great video, lots of useful stuff, thanks

Excellent information!

What happens when the security key malfunctions? To fix this two or more security keys should be made registered where either one of them can be used to unlock the user from the mess.

@TMOC1977

Жыл бұрын

I was also worried about this... What if I loose it, or it is damaged... Will I be locked out of my accounts? Naomi didn't mention if there was a seed phrase or something similar to use to recover if those scenarios happen.

@Chipchap-xu6pk

Жыл бұрын

That's why they said to get multiple keys. Having a seed phrase somewhere is a risk. If one key breaks or gets lost, you can use the other. If you register multiple keys to an account, you can use any of them to access it.

@firalia

Жыл бұрын

@@TMOC1977 That's why she said you need to get a minimum of 2 keys

I allways wanted to get a Key, but was overwhelmed by all the information, thanks for clearing this very important topic for nubs like me greeings form Switzerland

Excellent video and couldn't have come at a better time as I've just received a set of security keys but have not set them up yet. I have read online of people using the same code to register their main as well as backup keys while in the video, the backup key is registered with a different code from the main key. Maybe seasoned security key users here might be able to comment on which method is better? Or maybe it doesn't make a difference?

When you talked about TOTP you could have referred Aegis OTP android app, It's Foss! Great work regardless!

It's the best 👌 thanks alot

SOOOOO helpful!

I like this vid. Good insight.

Thank you sooooo much for doing this video! I use 2FA on my of my accounts but my old email was hacked recently, and it was devastating. I saw this security key option on some accounts, but it was very confusing. I will be ordering one of these options directly from the supplier tonight. Thank you again for helping to keep us safe.

@NaomiBrockwellTV

Жыл бұрын

💛

@edwardmacnab354

Жыл бұрын

my bank has rescinded email and landline options for receiving verification codes and will do so only on smartphones

@Itsme-vo4fx

Жыл бұрын

@@edwardmacnab354 : The problem with have a code sent to a smart phone is, if I am outside my home country I don’t use my phone because of the high roaming cost. I once had to open my phone, in a different country, and after being closed for a month I received hundreds of emails and notices that were “parked” because the phone was closed. It cost me a fortune just to use my phone for five minutes. With email, I can use WiFi on my iPad to receive the authorization code without any cost. Using your cell phone is fine if you are within your provider’s territory.

@edwardmacnab354

Жыл бұрын

@@Itsme-vo4fx I have two situations where my bank AND microsoft on windows 11 will not allow email or landline but only text and I do not have a mobile device that receives text. I have a landline that does not do text . Also, thanks for the heads up on that "parked" dam burst overcharge situation . with the backed up email . Terrible !

Nice content👍👍 can you secure a computer or mobile device operating system with a yubico key

Thanks for adding actual captions for the Deaf

Great video!

GREAT INFORMATION!👔😀

Thanks

Thanks for your expert research and information! ❤

Hello. I go through google translate (sorry, I'm French): Thank you for your video which is very instructive. You demystify computer security.

@NaomiBrockwellTV

Жыл бұрын

Thanks so much for watching! 🥐

I have a variety of devices on several platforms and the one that makes me hesitant about the YubiKey is the support for USB-C iPads isn't great. It's an Apple problem, not a Yubico problem, but still something to consider.

PIV is definitely my favorite way to authenticate... And I'll see myself out now.

I too was also a Contractor for many years in the communications industry. I literally got to install the very first real time Packet Sniffing Server on the West Coast of Canada Friday the 8th 2001. At that time the Co that i worked for handled about 99% of the Data on and off Vancouver Island British Columbia Canada. The Black box was mandated to be installed in every head end in Canada that sold the internet or lose the ability to sell the internet. Mandated by the CRTC just before 911. Funny part of that story i helped install that Black box Friday and then Tuesday this group of people flew planes into building and life changed for everyone almost instantly. Pretty funny story when only a couple of us new that 1/2 mill box was sitting in our head end. The going joke back then when someone was standing next to it.. We would mutter.. That's one hell of a Black Box. As of late we have been told that the federal police in Canada's Communications network is now compromised by overseas Countries, last week we were told that all Video surveillance security devices in North America also compromised. My bet is not one chip shipped in the last 50 years would not pass the new inspection process. Pretty funny story Bro.

What's KZread doing not recommending this channel all those years?

Very very useful info Naomi. Thank you. I think losing these keys are going to be a problem....

@NaomiBrockwellTV

Жыл бұрын

Make a backup!

Can using a security break siloing/isolation by being linked through the Key ID?

at 16:41 you say that if your key is lost/stolen, you just log into the affected accounts and delete that key. So I assume you have to use the backup key to log in, right? Thanks.

Reflections and observations.... 1) Showstopper bugs as more of these are deployed. Emergency patches for your little key. 2) Your primary and backup both get stolen/damaged/lost, especially when traveling internationally. 3) The joy of dealing with logins when traveling after both keys, for whatever reason, choke. 4) Designing security that relies on cheap, fragile dubious hardware. 5) Hacks to work around the root cause, which are operating systems that have horrible, creaking architectures baked in which invite endless flaws and bugs (0 day exploit du jour). 6) Making the login process so tedious and annoying that people just start avoiding doing business online as the overhead, stress and drama is intolerable. 7) You need a trusted friend or family member to log into your account during an emergency (like being detained by authorities in some borderline police state) and they have confiscated your keys. You are so screwed. The examples given above are all based on real events encountered over the years in my job. I've been in the computer security business for a long time. It continues to devolve. Hacks on top of hacks.

@transmitthis

Жыл бұрын

I'm halfway through Cory's "Attack Surface", so I'm inclined to believe you. Plus the other peeps above who mention the Security Keys are only ever an "option" for websites, with the fallback being phone text or email, which seems to render these keys of very little actual use.

@edwardmacnab354

Жыл бұрын

Please start a channel ! ALSO--- I'm going to use phone text verification for all my online banking transactions , it seems reasonable but then, the bank gives me no other option anyway. I cannot say how well this works as I haven't even set it up yet . I wish I could just mail cash to people , far less risky !

Do you need multiple physical keys, for example, if you had more than one twitter or gmail account?

You can't state it enough. You need to be as secure as you can make yourself online. No one is going to take care of your online presence if you don't do it yourself. You may be just one fish in a huge ocean, but there are many people just looking for an opening to take whatever they can get from as many people that they can to benefit themselves. So, using any extra security just makes sense, even though it may be sometimes annoying to have to use it. Once you start using extra security and get used to using it all the time, you will not notice that inconvenience anymore. It'll just be habit.

If someone gets hands on your security key( yubikey) can it be modified?

Thanks...I got a Yubikey a couple of years ago and it wound up being more of a pain than anything else. Not really the key's fault but the number of websites that didn't support 2FA via a security key. Most of them did support one or more authenticator apps so that is the way I've gone when I could and SMS when that is the only thing available. Now If I could just get the rest of them to move away from re-Captcha

@firalia

Жыл бұрын

Yubikey 5 supports TOTP, which are the authenticator app codes. You can use it those as long as you have the Yubico app that supports them. That being said, I still think even the more basic Yubikeys are worth it for protecting your most sensitive accounts (email, password manager, bank if you can). Even if most regular things don't support it, the important things do, and that's what matters imo.

It seems like the Webauthn passwordless technologies such as Apple Passkey eliminate the need for hardware keys such as the ones made by Yubico, at least for individual users. Do you agree?

I use my Yubikey 5 for my Windows login also.

Thanks!

@NaomiBrockwellTV

3 ай бұрын

Wow thank you so much for your support!!

Thanks again for the great information! So do I understand that correctly that to back up your login method in case you lose/break your key, you still need a different (ideally 2FA) method to log in? (Be it another key, TOTP etc)

@mbunkus

Жыл бұрын

Yes. Backing up your 2FA is indeed a problem few people talk about. This area is where authenticator-apps based schemes actually have an advantage: most offer to back up your set of TOTP settings & secrets automatically & regularly. However, those backups have to be stored in a safe way, too. As for hardware tokens: I have several friends that actually have two sets of tokens: one for daily use, carried around with them; and another one for backup purposes, stored somewhat safely but still easily accessible. For each new site they want to access they enroll both hardware tokens. If you don't have any type of backup of your 2FA device/software, you implicitly rely on the site's password recovery functionality - and all the insecurity that might entail (mostly a question of how secure your email account is). Then again, I don't know a lot of sites that actually allow you to disable password recovery functionality for your account. It's all a bit… meh.

@feudiable

Жыл бұрын

@@mbunkus Oh, I didn't even think about the password recovery options, thanks a lot for your insights!

Minute 16:30 if someone steals my bag that has my laptop and authentication key. How can I log into my account from somewhere else when I don't have the key and I didn't make a backup?

So two or more keys can be tied to any one account at any one time, and any one of the keys can grant account access?

Is the Google Titan key good?

can i add yuby key on to the trezor?

Where do i make the purchase for those security keys? 😮

Hi Naomi, best 2fa for iPhone, many options, don’t know how to choose. I’m little slow😂😂😂😂thank you

I use these yubikey security keys and they can be a hassle to use. Especially if you want to make a backup key later.

Can you make a video privacy focused NAS/Home cloud storage.

Yubico's website suggested the bio series don't have PGP. I'm confused.

You look amazing without glasses.

You didn't discuss the most important issue: compatibility with web sites that the individual needs to use. The much larger challenge is for web sites, enterprises, services, etc. to adopt a given mechanism for individuals to use for 2FA. What good is any of these security keys of web sites don't offer it as an option for 2FA? At the end of the video around 17:00, you briefly discuss this, but you could enhance the discussion by addressing the various protocols and the problem that, even if a web site offers security key 2FA, the problem is compatibility and support of specific systems and protocols.

Make a video about Google authenticator. Because Yubico key it's not selled in my country : (

Now if they could make one with builtin key fob ability and schlag door locks that support ncf and fido and then just slap an airtag key chain on it and it would be the only thing and your phone you'd have to go out the door with.

What if Last Layer would have Weakness for messing everything around and no point for previous Inputs?

Your video has spurred me on to look in to these devices. A quick comparison on price with Yubico and Google's Titan shows the latter at 2/3rds the cost of Yubico and the Titan cost is for two devices. Now I know one usually gets what one pays for but these do look very simple solid state hardware devices so am wondering what would prompt someone to buy an expensive one.

@NaomiBrockwellTV

Жыл бұрын

www.zdnet.com/article/new-side-channel-attack-can-recover-encryption-keys-from-google-titan-security-keys/

@send2gl

Жыл бұрын

​@@NaomiBrockwellTV Thank you for prompt reply. Report does suggest physical possession of key is required to enact the vulnerability so guess it negates that weakness unless keyholder is a particular target.

@send2gl

Жыл бұрын

Further to my earlier query, the Google Titan sales page is a wee bit misleading, under what's in the box it gives the impression two devices are included, it is actually just one which therefore negates any initial bargain impression.

My bank uses 2FA codes sent by email-but I have also set up with it voice identification. So isn’t that really 3FA?

I'm using Google titan keys , with Google advanced protection enabled , I found yubi to be a bit tricky on android

Tubi key 🔑 is the best for security.

What if my email is MSN and not Gmail AND the email is hidden in a Password Vault? AND, what if I want to only use a Security Key for the iPhone and NOT the Desktop Computer?

Great idea, too much trouble, all my users forget or lose their keys unless you tie it to them.

@agnosticmanquestionsall2409

Жыл бұрын

Also it better be frost, heat, and water resistant.

Very interesting videos about security. I have one doubt though: I feel these keys are really secure against online threads, but aren't they much less secure physically? I mean, what if your children take it while you're sleeping to buy stuff online? Or worse, why if during a break at work, you leave it plugged in your laptop and a college or boss use it to spy on you? My examples are quite simple, but I suspect there're some potential risks there, at least from a first look at it.

@MrTibast75

Жыл бұрын

Well even if they had the yubikey they would need to have access to your open computer with an open email right? Just remember to log out and it is fine.... And if this still concerns you, get a bio yubikey that requires a fingerprint too

I'd always thought it was strange that asymetric keys weren't used for web site authentication. It's nice to know this tech is now being utilised.

@catchnkill

Жыл бұрын

It already does. Web sites now use https and it uses public key cryptology to prove that you are connecting to a site that it claims to be.

@beardlyinteresting

Жыл бұрын

@@catchnkill Yeah that's not what I meant. I meant that you can't register to a site by giving them a public key so then only someone with the corresponding private key could then login to that account.

If I am using security keys do I turn off all other 2FA options (SMS and Authenticator App) to maximize security? Or is it okay to leave another option turned on (for example Authenticator App) in case I lose my security keys? In other words, what are the recommended best practices when, for example, an account like Facebook allows for several 2FA options to be turned on at the same time?

@NaomiBrockwellTV

9 ай бұрын

I would turn off sms where you can

Hi, thanks for the video. I would like to mention though that I come from Instagram and the title of your videos did not make it easy to find the one I was looking for 😅

As far as I know, banks in India provide only SMS based 2FA, which is highly insecure and most government bodies don't have any form of 2FA at all. If they do, it's only SMS based 2FA again. 2FA and security in India really needs a big boost.

@NaomiBrockwellTV

Жыл бұрын

Banks everywhere are notoriously awful with customer security options

With the increasing number of websites that mandate you to download an app on your phone, and then scan an on-screen QR code for authentification, there needs to be a safer alternative for those who don't want the risk of a phone app. One better way of doing this would be a dedicated device, or just an updated login key device, that would have a camera that would allow to scan on-screen QR codes.

If an online service (primarily banks) only offers Email or SMS for 2FA, would Email be the better choice if it's locked down with a Yubikey?🤔

@NaomiBrockwellTV

Жыл бұрын

A service locked with a yubikey is going to be better protected I would presume

I got 6 yubikeys, 2 security keys, 2 Yubikey 5C NFC USB-C and 2 Yubikey 5C NFC FIPS 140-2 USB-C. Not gonna lie it’s very addictive!

What is the use of 2FA and security key if your wifi is hackable with a single linux command ?

@smart_computing

5 ай бұрын

Why do u hack the wifi in the firdt place, is it not to get password, now via security keys no password to send. The private key only stays on the device, you can't get it.

What about Pegasus?

❤️❤️❤️

the problem that render this keys unless is that when You get your session cookie after you do your MFA. If your session cookie is long-lived, and the adversary steals it, then they can impersonate you without compromising your MFA.

Your phone maybe that device where you tap: "yes" to login, why one more device? Phone 📱 requires user presense too.

they are quite expensive, but worth it

One thing to note

Can I later opt out of using a key? What if I lose the key?

@NaomiBrockwellTV

Жыл бұрын

create a backup. And you can always opt out later.

So where are all of the follow up videos going over keys other than YubiKey and Fido2 authentication???

Even if used as the single factor these keys can be useful as they eliminate a lot of potential for user error. Using asymmetric cryptographic was the better approach from the beginning. It is just not practical to do it by hand. Even the cheapest FIDO2 keys solve this. I would go as far as to say that on average it would be massively better to use FIDO2 instead of a password. Yes you could shovel snow with your hands, but there are better tools for that. We don't still use stone tools to cut wood either. Even though for some carving work they might technically still be sufficient. TOTP simply addresses an entirely different but adjacent problem. So I take a bit of an issue with the comparison here. Considering your focus on a specific product this seems especially dubious. Not a very favorable combination.

Wouldn't using a hard key be 3FA?

So basically u have to buy 2. And u need to take this key with u every where if u want to access your account(s). Its interesting idea. But I can seeing being really inconvenient at times. The question is, does these keys support crypto wallets like trustwallet, metamask etc?

@NaomiBrockwellTV

Жыл бұрын

Yes it’s more inconvenient, absolutely worth it for the increased security.

@firalia

Жыл бұрын

Realistically, you only need to link it to your most sensitive accounts, which you probably won't need to re-login to often, and you can attach a Yubikey to your car keys or something like that as well so it becomes less of a hassle to remember.

Nitrokey > all

Great video. I have been using Yubikey on critical accounts for a while now and it helps me sleep at night. Still shocks me that Bank of America only allows 2FA via SMS or email. I have written the angry emails but they don’t care.

@FixHart

Жыл бұрын

Every bank I've used has only ever allowed SMS as 2FA. It REALLY makes me mad, and I don't understand how institutions that handle sensitive, financial information don't have security keys or, at the very least, OTPs as a method of 2FA.

@manny7886

11 ай бұрын

Financial institutions (like banks and credit card companies) are notorious for not supporting physical keys as 2FA.

@XMP2K5

10 ай бұрын

Bank Of America does support Yubikey.

👍

Would be even better if they allowed people to choose this as the first factor of authentication before the password can be tried.