Just got 2 Yubikey 5 for myself and 2 for my wife. Your videos are a lifesaver... I will be able to use YKMAN CLI now, to set up discoverable creds on important accounts. Your videos are the first clear, thorough tutorials I've found. Those by Yubico are too vague. Thank you! 😃btw: I would love to see a tutorial on use of Yubikey 5: PIV on Mac OS (please consider doing that) and again many thanks.
Yes, I can configure my browser from my google account to kill everything Login cookies when I close the computer browser and log in again to my google account with the Yubikey key. But how to do the same on an Android mobile? thanks
Good video explaining how these Yubikeys work. I have been using the same Pin for windows and the Yubikey and this has been very confusing. How can you change the Pin on the Yubikey?
Having the ability to reset the account is always a good thing, but you need to keep those codes really secure. Actually i have 4 keys registered for all of my important accounts, one key is in a safe place in the house. :)
I'm not a mac user, but sadly enough I've tried with standard RDP client by Microsoft on a Macbooc Air M1 and it does not work, even if you have the option to share the smar card, something seems just not to work and when you try using the key you got an error. I've read online that someone got it to work with other RDP client, but honestly I never tried. I'll investigate
Just try with online services :), OpenAI / Cohere, etc. Also local embedding models really need small GPU to run on decent speed, they are really small compared to an LLM.
It does not depend on virtualization system, remote desktop protocol is part of windows and does not care if the machine you are connecting to is on bare metal, hyper-v, ESxI or whathever.
Nice Tutorial. Keep up the good work👍 could you do a Video where you are on another machine or another one’s computer and the process of using your key there? I still don‘t understand if I have to Transfer the public key manually to the machine I‘m connecting from before connecting…
You need to copy the shim private key, but if you create a resident key, you just need your yubikey. You use the command line utility to extract the key. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-jYb7l7mbhLM.htmlsi=CaecHRQoAMyyGFLi
Hey Gian! Your Yubikey playlist has been incredibly helpful-I've learned a lot! Thanks for creating it. Just a quick note: in the video, you mentioned the SSH Private key as a "reference," but it's actually the genuine PRIVATE KEY encrypted with the Yubikey's master key. Also, the SSH Private key isn't stored in the Yubikey; instead, the Yubikey decrypts it when you connect. I noticed this distinction after watching your follow-up videos on resident keys. Adding a note in the description could clarify this for future viewers. Thanks for your great content!
Thanks, following official documentation (developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html) the private key should be stored inside the key. … The first file, id_ecdsa_sk, contains a reference to the private key credential stored on the YubiKey. The second file ,id_ecdsa_sk.pub, contains the public key
Can you explain why the keys don't work well with iphones? I had an iphone se and a Yubikey with NFC, but it never worked with the phone. Now I have an iphone 15, which allows me to put the Yubkiey directly into the usb-c port, but the keys are still not working! I tried logging into my email and it said "no credentials found," but the keys work fine on my laptop.
I do not own an iPhone, so I cannot test, but it should work. On android I had problem with browser different from Chrome in the past, but with Chrome I had no problem. Which service are you trying to use the yubi with?
@@codewrecks I think it's called webauthen. Not the TOTP or passkey. I still use a password and then use the key after entering the password. I know the key is properly added to my accounts because I have no problem with a laptop.
In android I had problems using browsers different from Chrome, but on iPhone official documentation states that it should just work support.apple.com/it-it/102637 . Which service are you using? Google, Microsoft, or it does not work with any service?
Good tutorial but not working for me. When I go to my new computer and do "ssh-keygen -K" it says "Cannot download keys without provider". What am I missing ?
Thank u very much. Works great. But i have 2 questions Can i use it also in Putty? I have 3 Yubikeys. How can i configure it that my Clients (2x Laptops/1x Desktop) can use all 3 yubikeys? Maybe u can help me/us Thank u.
Actually you can use your keys on any computer you want. When you first create the SSH key you get a private key (that is only a SHIM key that points to the right physical key). You can copy that private key on any computer you want. You can also create resident key, where you can extract the SHIM key with command line tool. I do not use putty from long time but from official documentation it seems that it has no problem with your yubi: developers.yubico.com/PGP/SSH_authentication/Windows.html
Wonderful video. I just got my YubiKey and watched your other video for first time users. In this video at 1:22 the Google Prompt asks for the Security Key Password. Do I enter the FIDO Pin that I created? Thanks.
Yes when some site / software is using your YubiKey to perform authentication (not 2nd factor, but using the key as sole factor of authentication) it ask you for the pin. If you got wrong for 8 times credentials inside the key are lost forever.
I would love to know if this still works for you because as of the last month, I am not able to download any of the files, or zips that GPT creates for me. Hope it still works, thanks!
@@codewrecks I figured it out on my side, it was entirely my fault, though something I think many will encounter. If you have a popupblocker or AdBlock, both of those will block the download link from executing. I guess it is just the function being used by GPT triggers the plugins to false flag the file. I've reported it to the popupblocker and AdBlock devs.
Using key to login in Windows 10 is a thing that I never got it right for a computer that is not connected to Azure Active Directory. The reason is that for a local account you can always enter with your password, and I had also problem in configuring in a couple of computer with windows hello :(. Actually I gave up trying to use it to log on my windows 10 .
The challenge phrase A1B2C3 is not to verify that you are really infront of the computer. It is to make sure that you are actually entering the code you think you are. For example if you have the wrong keyboard layout without realizing.
Hello, I Can't use that because Show a error on my Python... U know how are the Intall library I need do? to this function: semantic_kernel.skill_definition
I did not tried embedding outside english and italian, so I really have no special suggestion. Actually we have embeddings specialized on english and multilingual for everythign else. I suggest starting with some industry standard (openai, cohere, etc) before trying local model. You can estabilish a baseline than you can start using some multilingual one.
What a nice feature Advanced Data Analysis. May I ask how did you work with API and parse the result to download ChatGPT's response as a zip file before?
Actually I had custom code and some custom prompt to force GPT to have a precise output structure. It was C# code, I asked in the prompt to include a comment with the name of the file in each snippet, then parse output to find all snippet, hope that GPT understood my instruction so I find the name of the file in the first line and so on. It was not perfect and today I really rely on Copilot directly integrated in VS code or the technique in this video if I want it to generate some longer code.
@@codewrecks Given that not everyone has access to Advanced Data Analysis and ChatGPT4 Plus, I would love to see some sample code on how you did it previously if you don't mind to share. May be a github page or something. If not, it's cool.
Hello, I liked your yubikey video very much and I applied it, but I have a question on my mind. I put a password on the piv and fido side as you did, but when I use services such as binance on the phone, it does not ask for a password, can I put a password on this? Because I feel so insecure this way.
If the service does not ask for a password it means that is using the key as second factor of authentication. If the service allow you to login only with the key without requiring the PIN, the service is (in my opinion) using the key in the wrong way. You should have two option Username+password then touch the key (used as 2FA) PIN+Key (FIDO2) But touching the key without requiring keyword pin is not security HAve you tried from an incognito browser tab? (Maybe you are still logged in and the site is asking only the key as 2FA)
@@codewrecks Now, when I check it on the computer, it works properly, first it verifies the pin and then the yubike. But I couldn't verify from the phone (I tried with Google). When I do it from the computer for Binance, it asks for the pin and then the yubike, but only the yubikey is enough on the phone. Is this their problem, right? Also, I installed yubico authenticator instead of authenticator and put a password there. Even if the wrong password is entered repeatedly, nothing happens. Is this normal? So, after a certain number of incorrect entries, there is no reset etc.?
@@slay1_1 If they do not require pin on the phone is their problem (but it seems strange to me because it means that they are only using 2FA part of the key). The password on yubico authenticator is used only to protect the 2FA stored inside the key, but there is not protection against incorrect entries. since it is used only for 2FA there is no need for this kind of protection. (yubico authenticator is the equivalent of google authenticator, with the sole difference that the seeds are inside your yubikey)
@@codewrecks Now I added the yubikey to the tutanota (mail service) phone application and it was added as U2f but it does not ask for my password. I think it doesn't require a password for the phone. Can you check that? Can you check if any phone app requires a password? I made the settings you made, I put a password on the fido side, I put a password on the piv side, but I did not set a password or any settings on the otp side. I made a password from the Yubico authenticator application and the password there works. I think I did something wrong or Yubikey is not working properly for the phone.
When key is used as two factor auth, it does not require the pin. What I suppose is that the application stores your credentials and uses yubikey only as 2FA. Usually all mail app on your phone does not ask credentials every time you open the app, it just stored them securely inside the phone. When you add your yubikey you are adding only the second factor, so it is normal that the pin is not requested. you should try to uninstall completely the app, reinstall again (or install in a new phone) then verify the login procedure. No application can use a FIDO2 credential inside your yubikey without entering the pin.
Hello, I registered the yubikey to binance Protection, but when binance asks for the yubikey over the phone, I show it to you, but it opens directly without asking for a password. I want it to ask for both yubikey and password, can I do this? I hope it was explanatory, I wrote it with translation.
I do not use binance so I do not know how they are using the key. Basically if the key is used as FIDO2 SINGLE source of auth, it should ask you the pin. Combination of KEY+PIN is enough to login. What you need is configure the key only as Second factor of authentication (but since I do not know binance, I do not know if it is possible and how to do it.)
That is nicely explained. Thank you so much. A few follow-up questions: 1. if you are creating a generic chatbot that should be able to do "anything", let's say, to summarise a video, but also to write and send an email - do you create a HandleBars plan and give it to chatGPT to pick one? 2. What if you want to mix a few plans, from the example above -> Summarize this video and write and send email
You will create agent for tasks, then it is GPT (or the LLM you want to use) that analyze the question of the user, looks at which agent it can use, and device a plan to solve user question. This lead to: a single user question will generate a unique plan. Plan is generated by LLM looking at the question of the user and the agent it can use.
@@codewrecks@codewrecks Thank you. I saw this in a few videos later, but thanks for clarifying. What would be super interesting is if you could record a video on how to save plans and call them later, especially if it is possible to have LLM pickup from pre-saved plans So, in your example, you have a plan for transcribing a video, if you have a plan that drafts an email on a specific topic and sends it via a plug-in. It would be amazing to see how to offer those plans to LLM so it can pickup depending on what user asks Thanks
@@James_PET Plan are not meant to be saved, because they are based on user question. What you can do is create agents that aggregate other agents. I'll explain You have three agents: extract audio, extract text from audio, summarize timeline. Now if you ask "Can you summarize video XYZ.mp4" the agent will interrogate the LLM and based on three agents devise a plan. But you can do this: Create a fourth agent, call it "Summarize Video", and internally simply call the three previous agent (or the functions that the agents call). Now that agent is actually a plan agent that is capable of doing what you requested. I did not examined the possibility to save a plan directly, it could be interesting if a user want to save it. In this situation the scenario is User ask "Can you summarize video XYZ.mp4?" He/she got a plan in return, the plan is good and it press save. Give the plan a name and a description. Then the software should add that plan as agent to the list of available agents.
Hi, this an been a good feature to use on the PC, thanks. Would please know if its also possible to use OTP Long Touch (Slot 2) with an iPhone, I've tried to set-up but with no joy, thanks Paul
I bought my Yubikeys from Amazon. I received the YubiKey 5 Nano on April 1st, the YubiKey 5 Ci on Apr 3rd. Yesterday, Apr 9th, I received the following messages upon boot: [ 2.336715] usb 1-14: new full-speed USB device number 4 using xhci_hcd [ 2.464891] usb 1-14: device descriptor read/64, error -71 [ 2.700891] usb 1-14: device descriptor read/64, error -71 [ 2.936965] usb 1-14: new full-speed USB device number 5 using xhci_hcd [ 3.064997] usb 1-14: device descriptor read/64, error -71 [ 3.300994] usb 1-14: device descriptor read/64, error -71 [ 3.409086] usb usb1-port14: attempt power cycle [ 3.820721] usb 1-14: new full-speed USB device number 6 using xhci_hcd [ 3.820896] usb 1-14: Device not responding to setup address. [ 4.029156] usb 1-14: Device not responding to setup address. [ 4.236968] usb 1-14: device not accepting address 6, error -71 [ 4.364974] usb 1-14: new full-speed USB device number 7 using xhci_hcd [ 4.365182] usb 1-14: Device not responding to setup address. [ 4.573165] usb 1-14: Device not responding to setup address. [ 4.780969] usb 1-14: device not accepting address 7, error -71 [ 4.781236] usb usb1-port14: unable to enumerate USB device These are from the Nano, but I believe the 5Ci exhibited similar messages. I am using a static password in slot 2 to decrypt my root partition. Are these messages indicating a failing yubikey?
For using Security keys on iPhone, Apple REQUIRES two physical keys. And I can't get the Nano to work, even with a USB-A to lightning adapter (I've tried two). I recently bought a Yubikey 5 Nano and a 5Ci. I can register the 5Ci as a security key with my iPhone SE2, but not the Nano. These products are too difficult. I wasted $135.
Apple adapters from usb-A to lightning does not transfer data so yubikey nano does not work :(. This is the problem with proprietary ports like lightning. Luckily enough we should have USB-C for all device now.
I recently bought a Yubikey 5 Nano and a 5Ci. I can register the 5Ci as a security key with my iPhone SE2, but not the Nano. These products are too difficult. I wasted $135.
In a other Video u mentioned that the Yubikey FIDO2 PIN can be stored in KeePass, so in this case, i cant secure Keepass with Yubikey because to get the PIN i need the PIN, is that correct?
If you have only one key you are correct, if you have more than one key you can use yubikey with keepass. Using the key for keepass does not require pin, because it is just another layer of security over the standard password
Can you tell me why the keycloak environment variables are created automatically but not generated for me? I also get this error, if someone knows how to fix it would be great: Exception in multi-container configuration parse: YamlException: (Line: 6, Col: 9, Idx: 89) - (Line: 6, Col: 74, Idx: 154): Bind mount must start with ${WEBAPP_STORAGE_HOME}.