I've heard that Aegis and 2FAS are good choices.

@watertrooper

5 ай бұрын

I wish she would have included Aegis.

@MaxMustermann-vy7ur

5 ай бұрын

Raivo OTP is also great and open source

@diegoleonetti2424

4 ай бұрын

I used Aegis in the past but that unfortunately is tied to android phones only. I ordered a yubikey 5 nfc to be independent by authenticator apps

@wop52000

4 ай бұрын

I use 2FSA. I'm happy with it.

@alpacamale2909

4 ай бұрын

Aegis is amazing

Way to go Shannon! I've been waiting for a showdown with 2FA authenticator's INCLUDING the Yubico authenticator. I use Authy for my home tablet and Yubico for my phone for better security when I'm on the go. I do think you might have mentioned that Yubico authenticator only works with version 5 Yubikey. Love the Yubico authenticator for PURE SECURITY on my phone Enjoy all your videos! Much health in the new year. Anthony

Learn a lot about Yubico from watching your videos. You still remain one of the best. Thank you Shannon! Happy New Year!!!

I love the yubico authenticator but it doesn't hold all my keys. It's has such a low limit.

Why did you not include Bitwarden or Microsoft Authenticator? Are these not some of the highest market share authenticators?

@MaxMustermann-vy7ur

4 ай бұрын

Doesn’t mean the are the best… or even good

@cognetic

4 ай бұрын

@@MaxMustermann-vy7ur Agreed.

@expat64

3 ай бұрын

Great question, but I notice there seems to be very little to almost zero Microsoft related content in any of the videos for some reason.

@c.m.7037

3 ай бұрын

Microsoft, lol.

@michaelthornes

2 ай бұрын

quick tip: if you're storing your passwords in bitwarden, avoid storing your 2fa codes there too, especially for important accounts. you do gain security if the password itself is compromised, but if your bitwarden vault is compromised (eg by someone using your computer while the extension is unlocked), so are *any and all* of your accounts at that point. by keeping your 2fa codes separate from your passwords, you reduce risk of either one being compromised, even if it's a little less convenient at login time. I would always suggest keeping them on your phone, protected by biometrics and a different PIN/password (if someone tries to add their face to face id on an iphone using your unlock PIN, the 2fa app will then reject biometrics require its own to be used again - so that's still safe behind biometrics)

Shannon, I worry about any discussion of digital security that doesn't address open source. Please don't ignore this elephant in the room.

I choose Authy for convenience with multi-device abilities. Too risky for me to not have a backup in case my phone breaks, gets lost, etc. I think using any 2FA app at all is more/better than your average person does anyway.

google authenticator uses an unencrypted HTTP connection, Google said they'd fix it months ago but have yet to do so. Google Authenticator is also closed source, and unlike alternatives, does not let you retrieve keys to use with a separate authenticator.

@MaxMustermann-vy7ur

4 ай бұрын

Google Authentificator is just bad …

@rainerrain9689

4 ай бұрын

So I can't use a Yubi with google Authenticator?

@JAM35_

4 ай бұрын

@@rainerrain9689 correct

@rainerrain9689

4 ай бұрын

@@JAM35_ Well that's not good ,so now I have to find a video on how to transfer all my accounts to Authy which does,am I correct ?

@JAM35_

4 ай бұрын

@@rainerrain9689 are you using google authenticator now? If so, you'll have to generate all new keys for everything, because google won't let you switch from google authenticator.

Great coverage as always. Thank you. And feel better soon.

Been using Yubico Authenticator for years. Love it and feel secure vs Google and Authy. 👍

The promo code is not working! neither is the link above it.

2FAS is a great open source TOTP app

@audy305

3 ай бұрын

What app is that in the iOS App Store can’t find it

@bradleybratten4436

3 ай бұрын

I searched “2FAS” in the IoS App Store and it came up as the second choice (1st non sponsored) labeled “2FA Authenticator (2FAS)”

Love my Yubikeys and their Authenticator. Wondering how to introduce my kids (preteens) to it on their devices, though? Is there a kid-friendly learning curve Yubikey you'd recommend, Shannon?

@Dobbo314

5 ай бұрын

Surely the issue here is to get them to "care" about security. I remember, when she was about 14 (she doesn't remember now she is 25) that my niece came to me asking bout Net Nutrality. She got why Net Neutrality was a good thing -what she didn't grok was why commercialism would want things differently.

I assume that you recommend your Authenticator app be separate from your password manager app?

Hi Shannon, Can I buy 2 same YubiKey 5C NFC with USB-C or do I have to buy 2 difference kind Yubikey like USB-C and USB-A is that matter ? Please advise. Thank you!

Nice work Shannon 👍

Coupon code does not work for purchasing Yubico😢

If you're using standard Android then Google already has all the stuff the app collects. I just wish it was more clear on backups. I accidentally turned that function on then had to turn it off again. I was a bit annoyed because I don't want that feature. I'm perfectly fine manually updating my backup devices.

I like Authy for its end-to-end encrypted cloud backups and syncing, using a separate password specifically for said encryption. I can have Authy on any computer or mobile device I want and it'll sync my secrets between all devices. I also appreciate how it has its own PIN lock and doesn't just rely on the device's Lock Screen code, even if you use biometrics it doesn't fall back on the Lock Screen code. Anyone who might happen to have my Lock Screen code can't then get into Authy and get my 2FA codes.

@MaxPower-11

5 ай бұрын

I agree. Authy has a reasonable set of additional safeguards which makes its cloud function more secure. That’s why I chose it as well.

@The_Nixie

4 ай бұрын

I was in the same place til I moved to a password app that incorporates an OTP generator and passkey functionality. There's argument to be made for separating the password and MFA - but then, i protect my password app with my Yubi ;)

@Damariobros

4 ай бұрын

@@The_Nixie I'm not sure I can trust myself to not lose a YubiKey, so if I get one it'll just be for convenience at my pc, and I'll still have my Authenticator app set up as well. Also if you lose your passwords you also lose all your 2FA at the same time if you have them together. I always have my backup codes and 2FA separate, and if I ever move over to a password manager, I'll have that separate too. Way less hassle if I have to undergo mass account recovery. With Passkeys, I'm waiting until Apple implements Stolen Device Protection before setting up any passkeys so that anyone who has my device passcode, e.g. a family member, can't just use my device passcode to access my accounts.

@The_Nixie

4 ай бұрын

@@Damariobros all true. I generally have multiple yubis + an auth app (for occasions when I don't have Yubi handy) - but no matter how you do it, your comment exemplifies why there should *always be more than one key to any lock. :)

@GengoSenmon

2 ай бұрын

They are sunsetting the desktop app in a few days. Major disadvantage. No idea why are they are doing that. Very inconvenient.

Do any of these work on the iphone. would it work on linux with Yubikey and windoews 11?

I tried the code at checkout and its not valid

Hello Shannon! This was very informative. I have a query I’m hoping you can answer: How many accounts can I keep a record of on a single Yubikey 5C NFC USB C variant?

@ShannonMorse

3 ай бұрын

Depends on the protocol. I haven't hit the limits but here they are from a quick Google search: There are limitations with the YubiKey in terms of supported accounts. It can store up to 25 FIDO2 credentials for password-free logins, two OTP credentials, 32 OATH credentials for one-time passwords (when paired with the Yubico Authenticator), and an unlimited number of U2F credentials.

@OGSuperNaqash

3 ай бұрын

@@ShannonMorse thank you so much for replying. I ordered my first pair just yesterday! Your video helped.

Thanks for sharing. Blessings on your day!

💊 Get well soon and Happy New year Sailor Moon Shannon! 🌙

I got the tiniest Yubikey because it looked so cool and inconspicuous pushed into the side of my MacBook but it seems I can't use it because the part that sticks out is so tiny that nothing happens when I try to touch it, so I also bought the flat one the sticks out further but it seems to jiggle around and get knocked askew when I press on it. Any advice would be appreciated. I'm past the return period. I want to make these work since they seem to be the best solution, although I am surprised to not find most financial sites on the list which is the main thing most people want to connect.. Any suggestions?

Am I correct that if I loose my YubiKey and did not password protect the key then anyone who finds the Yubikey can install the Yubico Authenticator app and view the accounts stored on the key? I bought two keys (YbiKey 5 NFC) and trying to get my head wrapped around how to properly use them before I actually use them. I have the app installed on my iPhone and both keys open the app and that got me thinking something is wrong, where's the security. Nowhere have I heard anyone say to put a password on the YubiKey and I don't see anyway to add or remove keys from the Authenticator App - Still confused.

Raivo OTP,2FAS?

Edited to correct some info on the OAuth vuln, but also, to say, great video as always, Shannon! And to preface the following, I personally do like my yubikeys, I'm just exceedingly sparing in where and how I use them. Now... Something's been bugging me about 2fa with security keys and passkeys: Technically, if you don't need to input a password or OTP, these are NOT 2fa, and the security is still weak. Especially with the recent research reports of reviving dead OAuth session cookies. its important that everyone make sure not to disable passwords if optional when using a yubikey or other security key or passkey. And if password usage does not persist, its just 1FA. 😢

@Dobbo314

5 ай бұрын

@xileets Doesn't the cookie (stored on the device) count as one of the authenticators? So long as the same device doesn't also have the authenticator app too then any attacker would need two of your devices to breach the website.

@MaxPower-11

5 ай бұрын

How do you figure that passkeys are not 2FA? They satisfy something you have (first factor) and either a biometric (second factor) or a PIN or password (second factor).

@xileets

5 ай бұрын

@@Dobbo314 Correct, however, in some cases you can disable this requirement. And then there are relevant cookie vulns. There's a relevant CVE... Ill find and post below.

@xileets

5 ай бұрын

@@MaxPower-11 my first response was overly complicated. Yes, you are correct, if there is a second factor required. But some implementations allow just the use of a security key with nothing else, and that is not satisfactory on it's own, as some keys contain a single factor: something you have.

Great video. I'm trying to transfer my accounts from Twilio Authy to Google Authenticator.

tbh for 2FA i don't see why a yubikey makes sense .. anyone can just tap their phone and have my 2FA keys WITH my email .. compared to my phone where i have face unlock and am less likely to lose it compared to an extra device like a yubikey

Do you have one of these videos on apples keychain

I mean does it matter ? If it's not Fido2 then it all can have cookie sessions or tokens captured with a phishing link.

I use Authy, I had Yubikeys but lost one, broke one etc, that's why I don't use them any more. I would be forever looking for my Yubikey whereas Authy is on Ipad, Iphone, Android ohone and desktop, lot's of backup.

@Dobbo314

5 ай бұрын

I have two Yubikeys. One lives on my key ring (with my car key) so it is always in my presence, the other on a lanyard that hangs near my workstation. I think you are doing something wrong if both your keys are not readily accessible. By doing this I consider the chance of losing both keys is as close to zero as i can reasonably make it.

@arthurmarek8418

5 ай бұрын

Yes, I think I will get some and try again because they are the best solurion, maybe get three!@@Dobbo314

Watching this made me feel even better for buying my wife and I Yubikeys.

Can I attach yubico to my boarded insistence?

It's good to see some comparison of 2FA apps. But I have to say that the list of apps is far from comprehensive. Okta, Microsoft should be included as they are often used at workplaces

Did you consider privacyIDEA? It's my personal fav. Open Source, all important token types are supported and all data remains in your hands. Basically, you yan create your own 2FA server without being dependent on others.

what do you think about Ente?

The affiliate link for $5 off a yubikey is invalid!

@TheSolarPvP

5 ай бұрын

I noticed that too!

Do you think it's risky for me to be using the authenticator from my password manager?

@ThatNateGuy

5 ай бұрын

It can be, yes. I used to keep many of my TOTP keys, recovery keys, and stuff like that in my password manager, but since migrated them to Standard Notes. By separating them, an attacker now has to compromise both my password manager and SN in order to fully compromise my accounts. I hope that's a useful and satisfying answer to your question!

Would using the Yubico app have the same level of security as using the key directly as 2FA and not to generate TOTPs?

@ShannonMorse

3 ай бұрын

Uhhh I'm not sure I understand your question. The app requires you to unlock it via a yubikey. When using the yubikey on its own as MFA on websites, it depends on what protocol the websites is using (FIDO U2F, TOTP, etc etc). Time based codes are never gonna be as secure as FIDO U2F since codes can be stolen.

@Rednunzio

3 ай бұрын

@@ShannonMorse using the YubiCo app the codes are generated only if the hardware key is brought close. If I don't have the hardware key I can't do anything. Similarly, if I set the hardware key directly on my account, Google for example, as a 2FA system, no one will be able to enter unless they insert it or bring it closer to the device being authenticated. In both scenarios, security is linked to the hardware key. I hope it was clearer. thanks for the previous reply ☺️

Is there a limit on how many codes can be stored with yubikeys?

@dwsharp

4 ай бұрын

They hold a maximum of 32 codes

@zhiqiangzhou540

4 ай бұрын

Fantastic, so if I more website with 2FA I would need more keys. This is a bit sad.

@portman8909

3 ай бұрын

@@zhiqiangzhou540they will increase limit for yubikey 6

Which is best??

How does that protect me frm somebody trying to swap my sim card ?

I'm using Yubikey authentication and Aegis authenticator. Also looked down my windows, pop_OS!, Kali Linux with my 2 Yubikeys. Love your style and videos and all for Yubikeys

4:00 the app actually is like acting as a viewer for your yubikey hardware where you can view the stored 2fa/mfa. no need for syncing because you already have it in the palm of your hands, imagine it if it has a screen/display you will not be needing the app anymore.

is it just me or is the audio left side biased hmmmm had to turn off surround sound for this video

Bitwarden

Great video! Next time type in "subscribe" instead of "chicken" as your sample password ;)

Link does not work.

Is it possible to export my Google Authenticator Codes to my Yubico?

@ShannonMorse

3 ай бұрын

No, you'd have to re authenticate your yubico on the websites you originally sent up 2fa on. You'll need that QR code again

I just find the google auth app is very easy. I'm thinking that carrying around a youbikey would just be a way to possibly lose it and not be able to log into sites. I don't let google back up my codes fyi. Thanks for all your work on security, it's very helpful.

Missing keepass databases 😊 use a separate file only for 2fa

Twilio drops Authy Desktop app. Too bad that news didn't come out before Shannon made the video.

Is that your natural hair color?

i new well before the end yubico would be the winner cos they sponsored this video , but good vid

Using bitwarden. Is it a bad practice to use the authenticator thats built in to it? Putting all my eggs jnto same basket? I do use yubikeys btw

@ThatNateGuy

5 ай бұрын

@iSucrose asked a similar question above and I gave what I hope was a good answer to it. At the end of the day, it depends on your risk tolerance and threat model. I know that's a common thing for security people to say, but it really is true. 🙂

@mrkmdz

5 ай бұрын

It comes down to what you're trying to protect, and from who. I.E, as @ThatNateGuy states, your risk model. TOTP with Bitwarden is very convenient. But some would argue that putting both your passwords and your TOTP's in a single app and single device defeats the purpose of 2FA. If a bad actor can gain access to your Bitwarden account they get both credentials. But even just using a password manager and an authenticator on the same phone increases your risk if someone steals or impounds (think a law enforcement or border control agency) the device. It doesn't have to be an all-or-nothing decision. I use my password manager for TOTP on low- and medium-risk sites, and a separate authenticator for high-risk sites.

@Dobbo314

5 ай бұрын

@mrkmdz But if you use a Yubikey (or two) to protect your BitWarden vault then doesn't that mitigate the risk? This is what I do. I like the fact that to add my BW vault to a new device requires one of my Yubikeys. And to gain access to BW requires the pass phrase or a biometric scan, so there are always two factors needed.

@mrkmdz

4 ай бұрын

​@@Dobbo314 In general, yes. You need your BW passphrase + Yubikey to authorize a new device to access your BW vault. Then you need possession and control of your phone + biometric identifier + a memorized secret (either the BW passphrase or PIN) to unlock the phone and open the BW vault. Both of these processes are protected by at least two strong (AAL2) factors.

If it has the option for cloud avoid.

Didn't Twilio have a data breach ??

I wonder how soon it will be before we need authentication apps to access the authentication app. I wonder how soon off retina scans will be or every device has a DNA sequencer built in to verify identity? Like the Enterprise D in the background.

Happy Happy 🎉🎊🎇

Find you a friend who is dedicated to you how Shannon is dedicated to security 😂

@BrianGlaze

5 ай бұрын

The safest password in existence "chicken"

@Asfgxff

5 ай бұрын

How Shannon is dedicated to ubikey.

As of March 2024, the Twilio Authy Desktop application will no longer be supported, which means the application will no longer receive updates, bug fixes, or security patches. Users of this application will need to switch to other supported authentication methods to ensure the security and safety of their data.

My Google Authenticator is protected by FaceId.

@MaxMustermann-vy7ur

5 ай бұрын

Google Authenticator is bad

Aegis vs Ybico

More like hoarse code….? Ehhh ehhh? All bad shit jokes aside, get well soon. I just had pneumonia gifted to me by my coworkers and almost died. Not an awesome way to spend Christmas. You rock and get your rest lady!!!

Don't use the ones from google or microsoft, if you do....just don't use anything already

@MaxMustermann-vy7ur

4 ай бұрын

Yeah these two are just bad

It's 2024, and I still love Shannon's nails

@Dobbo314

5 ай бұрын

But what is up with her hair?!? There is only one tint in it! I'm only posting this because I can remember a post where she bemoans derogatory comments about her tints. What drew me to this channel was her approach to the topics she covers. I like the way she thinks; it aligns mostly with my own; and where we differ makes me reassess my own thinking. I'm not saying that I always agree with her - but her presentations allow me asses my own constructively.

2FAS ftw

it is very frustrating that authy windows is End of life. So Stupid

Ente auth is a better 2fa app

Good Work Shannon. Love from India

❤🎉

Get away from Google!

I like 2fas

@MaxMustermann-vy7ur

5 ай бұрын

Raivo OTP?

@jkbobful

5 ай бұрын

@@MaxMustermann-vy7ur ravio is cool but they did get bought out here recently

Thanks for my $5 off on both my Yubico Keys

@ShannonMorse

3 ай бұрын

Woohoo!