As stated by someone else, “Most banks and financial institutions don’t support authentication apps much less a hardware security key. Those are the places I worry about getting hacked.” This is exactly the problem! And some banks even have ridiculous constraints on passwords, such poor length maximums (12 or less characters), reduced symbols sets, and sometimes even treating uppercase and lowercase as being equivalent. Additionally, some sties that do support hardware tokens, allow one to bypass them, and/or in some cases allow a hardware token for their web site, but then use SMS on their app. Brick and mortar banks are the worst and truly are a clown show. Some online banks are better.

@kyleaustin2728

5 ай бұрын

All the major bank employees use Yubikey afaik. It's still technically bleeding edge on the consumer facing side.

@MrDeviousdom

4 ай бұрын

When you connect to your bank, you are connected through an encrypted connection. If someone tries to use your password more than, normally three times, they will be locked out of your your account. There is already more than enough security built into banking connections.

@F16_viper_pilot

4 ай бұрын

@@MrDeviousdom You’re simply making a false statement that banks all implement security that way. Each bank does their own implementation and there is no defined standard by which they must abide.

@F16_viper_pilot

4 ай бұрын

@@MrDeviousdom And the SSL tunnel used during and after authentication has absolutely nothing to do with authentication other than to help reduce man-in-the-middle attacks. The main issue is if a bank has its password file compromised, which has happened to many sites. Once the file is available hackers can use rainbow tables to match hacked password hashes to hashes in the password file. At that point they have the person’s password and only need one attempt to authenticate.

@MrDeviousdom

4 ай бұрын

@@F16_viper_pilot banks in the United States are required to use encrypted connections. Any major bank will lock you out after three failed attempts! Those are all facts!

Thanks - this is the best explainer on the topic that I have seen. I love your thorough but comprehensible explanations. Your other videos are great too.

@ProTechShow

Жыл бұрын

Thanks!

I want to commend you, kind sir....this presentation is incredibly well done and I am truly grateful that I discovered this information today! I wish to thank you for the copious time & energy you clearly have invested in the effort of providing a first-class, highly informative presentation here. Please allow me one more brief expression of sentiment and trust that although I have been curious to learn about this subject matter--both at the surface level and a much deeper level of technicality--your presentation is literally the first of it's type on this subject matter to hold my attention all the way to the end! I cannot tell you how many similar videos have managed to lose my interest within the first 2 minutes; thus leaving me without the knowledge I desire and leavening them (KZread content creators) with crappy analytic data that doesn't help their channel or monetization--a "lose-lose" proposition that I find unacceptable. Again, many thanks and keep up the good work. I subscribed and fully intend on checking out other videos you mentioned producing as a series that goes into greater depth on a number of yubikey specifics, PGP and more! Cheers

@ProTechShow

Жыл бұрын

Thanks!

Thank you for the Video, i think its such an important topic and im always happy, that i have a yubikey for like 2-3 years now. Thank you for explaining of how the challenge works, didn't know that though!

@ProTechShow

Жыл бұрын

Cheers!

Best explanation I have found on security keys.

@ProTechShow

Жыл бұрын

Thanks 🙂

Most banks and financial institutions don't support authentication apps much less a hardware security key. And they stubbornly refuse to support either. Those are the places I worry about getting hacked.

@ProTechShow

Жыл бұрын

I'd like to say I'm surprised... I'd like to...

@F16_viper_pilot

10 ай бұрын

Yes, this is exactly the problem! And some banks even have ridiculous constraints on passwords, such poor length maximums (12 or less characters), reduced symbols sets, and sometimes even treating uppercase and lowercase as being equivalent. Additionally, some sties that do support hardware tokens, allow one to bypass them, and/or in some cases allow a hardware token for their web site, but then use SMS on their app. Brick and mortar banks are the worst and truly are a clown show. Some online banks are better.

@MrDeviousdom

4 ай бұрын

​@@F16_viper_pilota four digit pin code would be more than secure for a bank as you only get three attempts.

@F16_viper_pilot

4 ай бұрын

@@MrDeviousdom Who says you only get three attempts? Security implementations are website defined; there is no defined standard. More importantly, the main issue is if a bank has its password file compromised, which has happened to many sites. Once the file is available, hackers can use rainbow tables to match hacked password hashes to hashes in the password file. At that point, they have the person’s password and only need one attempt to authenticate.

The biggest problem is that companies push that you have to have an account to use their service. So they can hoard data about you. The security should be built in from the start. This is just an ad hoc solution. And always trust random ppl on the internet.

Amazing explanation. Thank you sir.

@ProTechShow

3 ай бұрын

Thanks!

Hi! Does Yubikey requires to input PIN in NFC mode?

I have no words for your professional guides and explanations that every users should follow that help staying safe.

@ProTechShow

Жыл бұрын

Thanks. Those were some nice words, though!

This was super helpful thanks

@ProTechShow

Жыл бұрын

Glad it was useful

Hi Andrew: Question....I bought (2) Yubikey NFC 5 series. I did the set up process on my Macbook Pro and iPhone. But I could still sign in using my laptop password only, Yubikey will only prompt me to enter my Yubikey code when the key is inserted in the USB-C. Am I supposed to disable my laptop sign in? Same with my iPhone, I can still sign in with my standard phone sign in or face ID. It's not asking for the Yubikey. Can you please address? Thanks much!

@ProTechShow

Жыл бұрын

I'm not 100% sure what you're trying to do. The authentication method covered in the video was FIDO2/WebAuthn, which is used for authentication to websites. The YubiKey 5 can be used for other authentication methods as well, including acting as a USB smart card (also called PIV). If you're logging on to a Mac with it, I suspect that's what you're using. I don't have a Mac to test with, but the instructions here may be helpful if you've not already seen them: www.yubico.com/works-with-yubikey/catalog/macos/

@QueenJNice1

Жыл бұрын

@@ProTechShow Yes, i was trying to see if I could use both ways, as FIDO2/ Web Authentication as well as for my initial log in to the Mac laptop and iPhone. I guess that's what is called PIV. I'd like to secure the entire laptop and my phone so no one can access. My account was hijacked by a hacker. Unfortunately, I can no longer access all my data...so I am super paranoid. I haven't seen a tutorial on this. Thanks for your response.

What if a server got compromised? Data breaches? Hackers can access your data despite if you use strong passwords or 2fa or 2fa hardware key.

@ProTechShow

8 ай бұрын

If a server gets compromised they can't steal your credentials and use them elsewhere because the private key stays on your device. If you mean more like "What if they steal your data from someone else's server having breached it via an unpatched vulnerability that has nothing to do with you?" that's outside the scope of this video, and not your responsibility. It is your responsibility to secure your identity and a company's responsibility to secure their own infrastructure. That said, the majority of such breaches start with compromised credentials so if you're using a passwordless login you've taken the biggest risk off the board.

ok so now I'll have passwords, PIV cards (cuz that isn't going away), and a yubikey per machine that I'm gonna use simultaneously (so 2-3). At what point is my whole day is just getting logged into the systems?

@ProTechShow

Жыл бұрын

The YubiKey can act as a PIV card, so that's one less thing to worry about at least!

5:00 - Correct me if I'm wrong, but I don't think this is the case. It should be trivial with something JS to have the server send the client system "here's the salt, here's the algorithm, here's a nonce - compute your challenge response and return it.". I don't think it's *actually* required for the password to be sent to the server.

@ProTechShow

Жыл бұрын

I think the answer is Yes, No, & Maybe! I said something about not going into it in detail now in the video because there are a lot of tweaks on the approach that can be used and all I really wanted to do was introduce hashing for when it came up again later. I know of one site that does more or less exactly what you describe. They originally did it in an attempt to avoid the need for TLS, then wisely backtracked and implemented TLS anyway. Most websites don't do this (I only know of the one off the top of my head, but I can't say I've audited a huge number), so whilst a web developer could create a mechanism for client-side hashing as an end-user you can't choose - if they ask for the password (as most do) you have to send it. I think it's somewhat irrelevant, though; because once you type the password into the web form you've essentially lost control of your key at that point. Assuming the use of TLS, if anyone is in a position to steal it in-transit they're in a position to modify the JavaScript and just take your vanilla password. Presumably that's why they just submit the password as-is. The only way to make sure it never goes over the internet is to make sure it never goes into the browser in the first place.

Where did you get that Yubikey from?

@ProTechShow

Жыл бұрын

A mysterious envelope. I think it came from magical IT fairies who can make things appear on command. 😁

Do yubikeys require a PIN code to unlock? This is not good for businesses that manage these keys. If someone forgets their pin on the key there’s nothing the IT team can do?

@ProTechShow

3 ай бұрын

It depends on the authentication protocol. U2F (2nd factor) doesn't require a PIN but FIDO2 (WebAuthn passwordless) or PIV (smart card) would use a PIN or biometrics. It's important to protect the key with a second factor, otherwise if you lost the YubiKey anyone could pick it up and log in to your accounts. If managing this for a business you would handle it differently depending on usage. For smart card (PIV) the IT team could configure a PIN Unlock Key before issuing the device, so that it can be reset. For FIDO2 the user can change the PIN but the private key would be lost. In that case the admin would reset their account on the application so they could re-register their YubiKey with it.

If you get the USB-C one can you use it safely with a USB-C to USB-A adapter?

@ProTechShow

Жыл бұрын

I have a USB-A key and have used it with a USB-A to USB-C adapter so I assume it would work in reverse as well

@breadhombre720

Жыл бұрын

Yes. It works. Just pray your adapter wasn’t made with malware on it 😅

The idea that one has to have 2 yubikey for safety is flawed. It doubles cost. What about possibility of storing generated private key in safe place? Is it such a possibility?

@ProTechShow

Жыл бұрын

You can't extract the private key from the YubiKey. This is by design. It protects the key from exfiltration by malware and it ensures that you must physically have the device in order to prove your identity. Think of it as a physical key like the key to your house, rather than like a password. Part of its security comes from the fact it can't simpy be cloned in software.

@deandv131

9 ай бұрын

I see your point and would like them to be cheaper, but what price would you put on your security? You can purchase 2 keys from as little as £60. If you were hacked and someone said they could reverse everything that happened for even £100 wouldn't you pay it? I know I would.

Sounds like a good idea but I'd still be #purefeared of losing it (or all of them if I got a few back up ones)

@ProTechShow

Жыл бұрын

It's designed to fit on a keyring. That helps keep one to hand because if I lost the YubiKey I'd also have lost my car and my house keys!

@Hrubicundus

Жыл бұрын

Let's say you regularly go to swingers parties where everyone puts their keys in a bowl and picks out a random set of keys to match up with a partner, would you recommend removing the yubikey beforehand? Asking for a friend

@ProTechShow

Жыл бұрын

I'd recommend your "friend" makes sure they have the PIN enabled 😉

How come this technology is convenient, it is secure for sure, but it needs a physical key that is subject to be damaged, break or loss and being stuck not able to sign in. I feel like it is a step backward. You can achieve passwordlesss auth by using email only and send a code to email/phone or both for xtra security. Thanks for the video.

@ProTechShow

Жыл бұрын

A phone is more likely to get broken than a YubiKey. It's also more likely to get stolen, and it can run out of battery. It may not be obvious as I took it off for the video, but the YubiKey is intended to fit onto a keyring. If I were to lose that I'd be locked out of my car and my home, never mind an internet account! I don't consider sending a code to an email address to be a good form of authentication. It's not really authenticating anything - just moving the problem to your mailbox, which you still have to authenticate to anyway. Your mailbox is accessible remotely and actively targeted (91% of attacks start with an email) so it's not something I'd use as a key. Using a one-time code is better than a password, but isn't as strong as WebAuthn because it's vulnerable to a man-in-the-middle attack, and by itself only single-factor authentication. Two codes is still single-factor authentication, just twice. For passwordless you should have at least two different factors (e.g. something you have / something you know / something you are). That can be achieved with a phone if you require a PIN/biometrics to get to a device-specific code. That's good enough for most, but not as secure as WebAuthn.

@severgun

Жыл бұрын

@@ProTechShow > Two codes is still single-factor authentication, just twice. No it is not. TOTP + Password are 2 factors. Password - what you KNOW By entering TOTP you prove that you OWN device with generator

@ProTechShow

Жыл бұрын

@@severgun Read the full comment and response. They are not talking about TOTP + password, they are specifically talking about using TOTP _instead_ of using a password. The two codes were two different TOTPs, which is the same factor, twice.

if companies want customers to use 2fa then i think one of the options should be a hardware yubikey key, but let the companies pay for them and pay to have them shipped out to each and every customer.

@ProTechShow

Жыл бұрын

I don't think that's realistic. You need to take responsibility for your account security while the company takes responsibility for their platform security. If your account gets hacked it's you who will be impacted. FIDO2 devices like the YubiKey protect you rather than them.

14:28 is that a new dance move?

@ProTechShow

Жыл бұрын

Could be the next trend - everyone dropping their YubiKeys on the dance floor. You saw it here first.

Banks are terrible at security from no support for hardware keys to forced 12 digit numeric only passwords.

@ProTechShow

Жыл бұрын

Numeric only passwords 🤢

@LionRoars918

Жыл бұрын

@@ProTechShow .. that would be a bank that does not understand what they are doing to us. Btw .. have yet to see one site that will allow only my Yubikey. I would really like if yes, we got rid of passwords. But even Yubikeys are not totally secure. Just ask Linus how important security is.

A.I powered rainbow table 🌈🔨

extreamely not convenient on mobiles.(even with nfc) And mobile internet is everything today.

@ProTechShow

Жыл бұрын

When I use an account with my phone 99.9% of the time it's using an app where I log in with MFA, then the app saves my account, and it's protected by PIN/biometrics on the device from that point onward. For the one time you actually do need to log in it's really not a lot of effort to take your keys out of your pocket and hold them against the phone for a second to use NFC. That's assuming you're using a YubiKey. As support for using the phone itself as a FIDO2 token improves you'll presumably be able to do it one-handed.

@estusflask982

Жыл бұрын

lol what? they have usb-c and nfc. keep it on your keyring. it's not hard.

I don't think that the answer is using a hardware key! There's no reason that websites could not be redeveloped to include public key cryptography or even a VPN tunnel built in. Then, you have no worries of getting your password exploited. Having a piece of hardware that you need to have on your person is extremely lame and problem-prone. Secure passwords are not a problem, especially if you use a secure password manager. Two factor authentication, sounds all well and good until you get your phone stolen and all of your accounts stolen as well after the thief authenticates using your stolen phone. I'm all about secure passwords and secure communication channels between the server and the end user. Problem solved and no one was inconvenienced.

@ProTechShow

4 ай бұрын

Pretty much every website now uses HTTPS, and your browser will warn you if it doesn't. HTTPS uses an encryption layer just like a VPN, so adding a VPN on top does nothing. It does not solve the inherent problem of passwords, it only protects data in transit. Public key cryptography for authentication requires you to have a private key, which needs to be stored on a physical device somewhere. That is what YubiKeys do. Any website that accepts a YubiKey is already using public key crytpgraphy to authenticate you - it doesn't need to be developed. What you're arguing for is exactly the solution presented in this video.

@MrDeviousdom

4 ай бұрын

@@ProTechShow That's right! I don't think you guys are understanding what I was saying. If security is fully implemented at these websites, whether it uses encrypted connections, which is mostly the case nowadays, or a private tunnel, we won't need to carry a hardware key around. Having a private key secured on the local device is sure a lot easier than having to have a hardware dongle with you to use on your home computer, work computer, phone, tablet etc. Plus, there are other ways that don't require carrying around a hardware dongle. The hardware dongle idea may work well for someone that has only one device, but for the majority of people, it's a major flaw!

@ProTechShow

4 ай бұрын

@@MrDeviousdom Transport encryption doesn't really have anything to do with it. It's completely separate to the cryptography used during authentication. You can now use most modern devices as your security key as long as you have the right hardware, but one of the advantages of a dongle like the YubiKey is it’s not tied to a specific computer. It’s not a problem for people with multiple devices - it’s a solution to exactly that problem. Essentially, your laptop can function as the YubiKey but it's less flexible. Your laptop can log you in when using your laptop. The YubiKey can log you in from anything. I haven't made an updated video, but the way I set up most of my accounts now are with my regular computers and my YubiKey as FIDO2 tokens. That way I can log in using Windows Hello for convenience, but if my laptop breaks or I need to use another device I can use my YubiKey. It's a good idea to have more than one hardware key so you don't get locked out and I think the combination of Windows Hello + YubiKey provides an ideal mixture of redundancy, convenience, and compatibility.

@MrDeviousdom

4 ай бұрын

@@ProTechShow I'm never going to agree with that premise, but I respect your choice to use it if you like. I won't be buying one.

@jackt6112

3 ай бұрын

@MrDeviousdom I agree with you. Having been in the IT field for decades, the YubiKey owes their existence to controlling concurrent software licensing where they pass it between computers in an organization. YubiKey's use for this scenario is a flash in the pan, in fact its not even a flash in the real world. YubiKeys are small, easily lost, frequently go bad at customers from simply use. Unlike phones, they often go through the washers and dryers, and are easy to forget because they are not an essential part of your life. When they go bad, you simply get another one. The software vendor simply deletes access for the old one so if it shows up later, it still doesn't work. Web apps check with the CA to verify what they received is valid. The phone is currently the only personal device that I see that can succeed in this role because it has become almost ubiquitous. Even your kids have one. It also has the capabilities to require bio, which itself can become a private key. It also possesses NFC, GPS, and many more complex methods to increase the confidence that the person making the transaction is who they say they are. You can find it back. Satellite is almost here, and would have been here except the phone vendors balked until the standard was finished. (no Apple doesn't have it) Phones are replacing your car keys. Many countries people get a telephone number to back WhatsApp and the number they use for business is published as a WhatsApp number. Wi-Fi which is fast becoming ubiquitous and free, with any cellular used for data, which to be honest the cell phone calls they charge for have been since the first revision of LTE. Even for remote workers, the future is the phone. There is no key to pass and when they no longer work or the company it is easily revoked. MFA is being used now with no input from you. Several years ago after doing my homework I went to buy a TV at Walmart at 3:00 AM. I took my antique car and left my phone at home. 2 out of 3 credit cards were refused and all 3 were locked the following day due to my 3 AM purchase. The whole purpose is to deploy security for billions of people. YubiKey does not even have the have the potential, let alone any hope of broad acceptance. I've only bought Samsung phones lately, which have KNOX, where their secure apps run, so they don't need to secure the entire phone for their secure apps. Consequently, you can swipe and do credit card transactions without even logging into the phone, and you have 50 seconds to get a good fingerprint to get the NFC to work. Their watches interface securely so don't need to log in either. Unless the phone is secure, the apps won't run nor is there any access to the data. If anything is done outside of the signed software, it burns a fuse and the phone will not run anything KNOX. Other phones do credit cards now, and new models can evolve as necessary AND you can be sure people will have one, AND you can refuse any that become vulnerable. Phones have traceable MEID and MAC if they become stolen. They can be erased remotely. They are often secured BIO and have multiple technologies for it. If they steal your credit cards they have something. If they steal your phone with the credit cards on it, they have nothing, not even something they can reset and use.

Howz about STOP using Internet!

@ProTechShow

Жыл бұрын

Can't argue with the security. Practicality on the other hand...

There are a lot of dumb responses to this video in these comments. Sorry @Pro Tech Show

@ProTechShow

Жыл бұрын

All the more reason to make the video I guess, for the people who can learn from it

think someone does not know anything about Yubi Key and wants to know how it works, what you need to get it and how to use it. So you go on YT and watch this Video..and you still have no idea. Why can you not show how to set it up, what you need to even use that thing. You have a screen there and a lap top with its back turned.. great. 🤦‍♀People that are using stuff like that will like the Video. But those that have no idea and are trying to get information are wasting their time here.

@ProTechShow

Жыл бұрын

There is no setup to show. You just plug it in when your computer asks you to. How you add a YubiKey as an authentication option for a specific application is a process that is specific to your application, not the YubiKey. You need to refer to the manual/help page for whatever application you're using if you don't know how to do it. The purpose of this video is to introduce FIDO2/WebAuthn, not document a specific application, let alone every application that has ever been or ever will be written. As for the laptop: the screen is showing you what's on the laptop. You're not missing anything. That's why the screen is there.

So this obviously works well on a computer. But computers are a thing of the past. How do I use this on my phone or tablet? The future of phone is wireless with no ports. If they do come with ports, they'll be proprietary solutions. And my TV doesn't have the Bitwarden app. How would I go about solving this? At home, I guess I could set up a wireless solution and plug the USB into the wall and bluetooth it to my phone. But what if I'm on-the-go? I guess what I'm asking is, are there other future proof solutions out there? Because with physical wires and ports being a thing of the past., I don't see this lasting very long, unfortunately.

@ProTechShow

Жыл бұрын

The YubiKey I showed in the video supports NFC as well as USB, so to use it with my phone I tap it against the phone and it authenticates wirelessly. I've noted in the video description which YubiKeys support NFC as there are several models. As to the future of phones... The EU have ruled that charging ports on all mobile devices will have to use USB-C by law. The EU is a big enough market that even Apple will have to fall in line, and it's unlikely they'll want to make different hardware for different markets with different ports and different accessories to go with them; so the future of charging ports on phones is USB-C, not proprietary. 100% portless phones could happen. Maybe apple will do it at some point, but I don't think many would welcome it right now. In any case, the NFC keys will still work, as will the phone-based FIDO apps that use Bluetooth when they're a bit more prevalent.

@jakelong1418

Жыл бұрын

@@ProTechShow I appreciate your detailed reply. Thank you.

@acidthunder1

Жыл бұрын

I like security, so I like wired. Wireless will always be easier to hack

I'll stop using Windows and Google long before I turn my back on passwords. I'm done listening to people promoting passkey spam. So enjoy yourself Pro Tech Show. You are hereby blocked from interacting with my account and reported for spamming and scamming.

@ProTechShow

6 ай бұрын

You should probably stop using the internet, to be honest