No video :(

2FA Isn’t Secure - Here’s What You Need Instead!

Подписаться 125 тыс.

Просмотров 143 тыс.

50% 1

Get $5 a Yubikey 5 NFC: www.yubi.co/sh...
Get a Yubikey and protect your accounts! amzn.to/3S8BSLL *
FTC: Links marked with * are affiliate links, which means I make a small commission off any sales.
References:
fidoalliance.o...
www.pcmag.com/...
/ we_had_a_security_inci...
www.protocol.c...
blog.cloudflar...
techcrunch.com...
www.zdnet.com/...
/ an-update-on-two-facto...
Becoming a Morse Code Member by checking out the perks linked here!:
/ @shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUBSCRIBE! 🌸 www.youtube.com...
TWITTER 🌸 / snubs
Patreon 🌸 / shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUPPORT MY WORK
Patreon 💛 / shannonmorse
Buy Me a Coffee 💛 www.buymeacoff...
Shop 💛 snubsie.com/shop
TeeSpring 💛 teespring.com/...
Coupon Codes 💛 snubsie.com/su...
Tech I Use & Recommend 💛 kit.co/Shannon...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
FOLLOW THE SOCIALS THINGS
Twitter 🌸 / snubs
Instagram 🌸 / snubs
RU-vid 🌸 www.youtube.com...
Website 🌸 www.shannonrmor...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
TECH I USE AND RECOMMEND
My Kits, Builds, and Must Haves ✨ kit.co/Shannon...
My Amazon Influencer Page ✨ www.amazon.com...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
MY OTHER SHOWS
ThreatWire 🌙 www.youtube.com...
Sailor Snubs 🌙 www.youtube.co...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
GET IN TOUCH
Mail ✈
snubsie.com/co...
Email for Business and Sponsorship Inquiries ✈ Shannon@ShannonRMorse.com
My Media Kit ✈ snubsie.com/wo...
Sponsor This Channel ✈ snubsie.com/sh...
Music from 🎵 Epidemic Sound: www.epidemicso...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
😍 FTC DISCLAIMER 😍
Affiliate links listed above allow me to receive a small commission. Any sponsorships for videos are noted in video and listed in descriptions. Any products provided as gifts are listed above. Thank you for your support!
Comment section code of conduct policy:
Constructive feedback is appreciated, but please leave unproductive, divisive and harmful conversation at the door. Hateful comments are not tolerated, and these kinds of messages will be automatically removed. Thank you for making this community a welcoming experience for all viewers :)
snubsie.com/co...

Опубликовано:

29 авг 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 537

@ShannonMorse Год назад

Pinning this comment so y'all can easily find my previous videos about Yubikeys! ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-vjTA6DeD9y8.html I'm seeing the same questions several times and I answered them in this video!

@TheCynysterMind Год назад

Sadly MOST financial institutions do not support FIDO keys. As of now None of my banks nor credit cards nor retirement or payroll sites support hardware keys. But pointless sites like social media do...

@SaHaRaSquad Год назад

That's the exact reason I haven't bought a Yubikey yet. My bank account is one of the least protected because banks ironically don't seem to be interested in proper security. The only account I care about which supports yubikeys is the email account, which is important but it's just a single one.

@paulbigbee Год назад

Glad you made this point. Financial services have successfully externalized all of the costs to other parties, including us, their customer. Even Bank of America's WebAuthN implementation is pathetically lazy. By contrast, gaming companies have had to bear the burden of taking calls, creating tickets and recreating state in the game. In short, cost. So, they went looking for a better answer. TL;DR - incentives are for banks, sadly, to do nothing.

@TheCynysterMind Год назад

@@SaHaRaSquad I would recommend getting the cheaper fido keys( you should have at least two.. I have 3) and experiment with them on a site you do not care about so you can test the ins and outs

@Tech-geeky Год назад

That's because they gotta cater for everyone... The larger population of users, the less secure it will have to be.. We always cater for the 'bottom line' the least secure.... The reason why banks usually won't adopt better security is "Our platform doesn't support it", or "it will be too costly". I would say its about bloody time users got educated.... We all wank bank to stop scammers for us as well, but going "so far" with anything, will force users to be better. To me, that is a good thing You can't expect a business to hold ya hand 100%..

@TheCynysterMind Год назад

@@Tech-geeky I am not sure I agree with your assessment. *That's because they gotta cater for everyone* Doesn't Social Media as well? If social media can manage to implement better security.. The banks should have no difficulty. And let us not forgot. This technology is available for those that want it. The broader clueless user base is not likely to forced to use this tech with obvious security benefits. But financial Institutions seem to be purposely taking steps that make accounts "Appear" secure without ACTUALLY being secure.

@mrfoodarama Год назад

Great topic! I wish more companies would add this to their sites, particularly US Banks!

@Darkk6969 Год назад

I agree. My current bank only uses SMS which is insecure. Better than nothing I agree but at least offer Google Auth as an option!

@BioBrimm Год назад

Yes! I was the victim of a SIM swap and haven't wanted to use my phone for anything since but am often forced to. Even though I invested in a hardware key, it's rarely an option on its own.

@briancarnell Год назад

This is the real problem. So little support for hardware keys still.

@notreallyme425 Год назад

Nah, my bank just asks for my dog’s name. I’m sure that safe.

@gblargg Год назад

@@notreallyme425 I generate random strings for each one of those. They are essentially passwords so you should make them secure.

@headlights-go-up Год назад

Such a good video! Your work spreading knowledge on the greatness that is hardware keys (as well as your hard work in general) is very much appreciated.

@ShannonMorse Год назад

I appreciate that!

@Blox117 Год назад

it should be a part of the device itself, inside TPM

@anamegoeshere Год назад

@@ShannonMorse so once you fail IT and this platform, when are you making a o/f ?

@VincentGroenewold Год назад

Thanks Shannon, I bit the bullet and used the promo code. Ordered 2 keys, one as a spare. :)

@ShannonMorse Год назад

Smart!!

@supawiz6991 Год назад

“Use the for your most critical accounts” Too bad most banks don’t support it. My bank just finally added support for TOTP. If it takes them the same amount of time to add support for hardware keys as it did for TOTP, it’s gonna be quite a long time before it happens. Hardware keys are king. I use them on any site that supports it. I also use them for ssh access to my servers.

@chrisguli2865 Год назад

I wish they did this for online (and offline) credit and debit purchases - fraudulent charges would go to virtually zero. So just having the card number and details would not be enough for a purchase to go through. Some banks have started doing something like this using virtual card numbers.

@azclaimjumper Год назад

Bank of America, at present is the ONLY U.S. bank I know of that permit their customers to secure their accounts with YubiKeys.

@JasonsLabVideos Год назад

YEP! the Physical is the way to go ! Don't forget to use generated passwords too !

@Tech-geeky Год назад

heck... should never be "option". Generated passwords ought to be required. but alas, we have to cater for websites still that will never be 'as secure' as others.. Again, dragging through the dirt..... there is no solution .. You can have a really good password, but if the backend is weak, its not gonna matter. Anything IS better than nothing, but is it really worth it if it not gonna protect you anyway?

@Nanabon23 Год назад

Been following both this account and Sailorsnubs account for a while. Not only you just completely sold me on getting a personal hardware key but coincidently I am currently writing an essay about authentication vs. authorization for my cybersecurity class. I was just casually watching your up-to-date videos because I really enjoy your content! But when I heard you mentioned authentication / recent events and why Yubikeys are a must for 2FA. I was like wait a minute... Hold up! This is a good example for my essay! Write this down Write down! LOL Thank you for providing us important information! I will make sure to properly cite your video! Much Love

@BladeWDR Год назад

I wish more sites would allow setting up more than one hardware key. I'm absent-minded and prone to losing things. For every site I have a hardware key on I also need to leave TOTP enabled just so I don't lock myself out of the account by losing the key.

@Tech-geeky Год назад

That's funny ... We have security in the use of hardware-keys, but then we make security less useful by having "multiple copies' where 'others' can get at them as well.. we THINK its safe, but its not. ideally i'd be more worried if my backup will be safe.. Just because we think its secret, doesn't mean it is... particularly when we do not have physical access. and its stored "off site" Makes it THAT much easier for others to get.. If people are determined, they'll get it Look at what happened with Lastpass... but it can happen anytime to any company.... ExpressVPN too.. But we always like to trade for convenience. We Need to change THAT. And until we do change, getting at security stuff will always be a problem.

@writingpanda Год назад

Any time someone talks about Yubikeys, that's an instant like from me. Great video, Snubs!

@ShannonMorse Год назад

Much appreciated!

@mschwage Год назад

Agreed. I was hesitant to get one... I didn't understand them, and I was worried I could lose one. So I bought two, eventually, and when I used them I was an instant convert.

@writingpanda Год назад

@@mschwage I'm so glad you decided to invest in some Yubikeys! You're doing it right!

@RyoKimball Год назад

Immediately after hearing your comment on art on the key, I grabbed mine and started looking for art supplies.

@chickpeas.are.versatile Год назад

Great video, Shannon! Although I wish some companies would implement it fully rather than do it half-arsed. For example, some sites only allow 1 hardware key to be registered… By not allowing a backup key to be registered it just increases the risk of me getting locked out of my account if I lose/break my main key. Hopefully more and more sites will fix this issue in the future and it is videos like yours which will help increase awareness and adoption so that these problems are eventually solved ✊

@longlashcoffeecatcoffeecat7551 Год назад

We've seen websites that offer SMS and auth app. And the more rare SMS / key combo. If you're lucky you might get a website that offers one of each method or up to TWO keys. But, my favorite sites are the ones that allow you to use ALL methods and as many as you like. One change I would at least like to see is if you're required to have 2 methods to activate MFA, that you can use 2 keys and/or not have SMS be mandatory. But SMS is about "We know you're a human being"...at least that's what the American banks, etc, tell us. Are cybercrimes at the point where either phone companies or websites should be held responsible for sim swapping if SMS is the only 2FA method available? If the answer is "Yes", then what happens to users that refuse to use 2FA or websites that don't offer any? Like the recent password stuffing attack on PayPal.

@SgtKilgore406 Год назад

This is exactly why I stick with TOTP instead of pushing forward with hardware keys. I can't trust myself to not lose it and royally screw myself over.

@autohmae Год назад

Yes, this is a big missing part. What they do often allow: a list of 'recovery codes'.

@AG-bp3ll Год назад

@@SgtKilgore406 I totally agree with this. I can't have everything tied to a single key. These keys are tough but they can get damaged or lost. You either can't have a second key or you have to leave a backup to get in that someone could just use to bypass the key anyway.

@BogdanSass Год назад

THIS! I don't know if they fixed it, but a while ago even Amazon AWS only allowed you to register one (ONE!) security key!

@mikaellavoie6811 6 месяцев назад

Just found your channel, listened to 3-4 video in a row and i suscribed! Very good content and very well vulgarised/explained while maintaining some technical information for more tech savvy people! Good job!

@ShannonMorse 6 месяцев назад

Hey welcome to my channel! I'm pretty active with the community here if you ever have questions or just wanna say hi 😄💓

@ericdere Год назад

TOTP keys in a 2FA app are not sent to you, they are generated based on the initial seed code which you get by scanning the QR code. A 2FA app is therefore more secure than 2FA via SMS or email

@SgtKilgore406 Год назад

I'm surprised OP missed that. I don't consider SMS or email as 2FA. All my 2FA are TOTP keys which as you said cannot be intercepted provided you are smart with your secrets. If it wasn't for my aptitude to lose things from time to time I wouldn't be as afraid to invest in physical keys. At this time I see it as too risky to use a security device that small and potentially that easy to lose.

@joseabraham777 Год назад

But what happens if I lost access to my phone? The websites offer an easy way to restore my logins? I have that doubt :/

@ericdere Год назад

@@joseabraham777 There are two possibilities: - you backup your 2FA data in the app to the cloud - you use recovery keys which you can get from the site you login to (do this before losing your phone)

@buffalo_wings8224 Год назад

@@ericdere Please help me understand how these recovery keys don't completely undermine the concept of 2FA. A brute force attack can penetrate the static recovery keys even when the website tries to circumvent. Most of the recovery keys I have seen are 8 digits long max and the sites don't lock you out after multiple tries. Sometimes the recovery screen defaults back to the username/PW login screen after several failed attempts, but a crafty hacker can automate the brute force attack. At the very least, the recovery codes provided should be much much stronger.

@Tech-geeky Год назад

still depends on weather people keep their device up-to-date and app(s). Apps depends on operating system and therefore device.. QR codes are not perfect either. and i wouldn't really reply on them for security. TouchID is better. Its all a stepping stone... How secure do you wanna be ??

@feargalledwidge806 Год назад

Hardware keys are a great idea in principle - but in reality, for large companies can be a nightmare to manage. Users lose their hardware keys or forget and leave them at home - so you security team is constantly issuing new keys or temporary keys. That is why phone auth apps reign supreme. Even the worst user will always remember their phone. Normally when I do 2FA deployments - I do phone apps as the primary option with yubikeys for those users who don't want o use their personal phones.

@BDBD16 Год назад

What about those non smart phone users....yup...encountered it before.....

@feargalledwidge806 Год назад

@@BDBD16 That's why phone apps are the primary option - but not the only option. For people without smartphones or who don't want to use their personal phones - the a yubikey covers those cases.

@tudalex Год назад

Hi, here is a simple trick. Give them the micro keys that will always stay plugged into their laptops/workstations. If you are trying to protect from stolen laptops, configure the yubikeys to also ask for a password, not just a tap. Another way I’ve seen it done was to suggest them to have them attached to their badge keyring or home keys.

@klwthe3rd Год назад

I couldn't agree more. I work in IT Security and if you read my posted comment, it talks about people losing or forgetting their keys everywhere but on them.

@esquilax5563 Год назад

Who are these people who are going to work without their keys?? The whole idea of these things is you keep one on the same key ring as your house key, so you're essentially never without it

@geezergeek1637 Год назад

For me, no linked videos at the end. Not sure what happened. Thank you for this content. You are the second person this week that I have seen addressing this topic. Each presentation was different, and yours more in depth on the physical keys. Thanks again.

@Macleod1617 Год назад

Thanks for the code! It works for EACH Yubikey you buy. Its best to buy 2 just in case you lose one and you wont get locked out of your accounts... I got $10 off my purchase. Thanks again Shannon!

@ShannonMorse Год назад

Yesss this is the way!

@jackielinde7568 Год назад

This episode reminds me of that famous Hootie and the Blowfish song: "Every Time I Touch My Security Key, I Log In".

@byondead Год назад

One great use for hardware keys is for seniors. Some may not use cell phones at all and are still using land line. So this prevents many useable options (like sms, totp, cell phone itself, etc). Plus it's simple to use, and they don't have to constantly change their password. Dealing with senior who locked out of their account and educating them on this can be frustrating for you and them.

@himabimdimwim Год назад

I bought two yubikeys after watching your previous videos on hardware keys, I'm excited for them to arrive!

@jedikv Год назад

Make sure to periodically check (like every year) that your key is still accepted. I have one key from around 2017 that is no longer accepted for some services. While newer keys I got the past year or so have been

@ShannonMorse Год назад

I do a yearly security audit to check for this. Good idea to have a different model backup key or to keep your backup codes handy in this case.

@martinlutherkingjr.5582 Год назад

Are they the same model keys?

@jedikv Год назад

@@martinlutherkingjr.5582 No different models

@ivanbarksdale Год назад

Very insightful video! Btw I ❤your sailor moon shirt it compliments you and your setup beautifully ✨🤟🏾

@joeltyler3427 Год назад

Yeah. Companies should have this mandatory. No matter what job role.

@Lucy-dk5cz Год назад

Absolutes are never the solution. The security required needs to be tailored to each specific case.

@Plexdet Год назад

Example: someone who’s job is welding or some other construction work and they never need to log into a computer at work.

@klwthe3rd Год назад

@@Lucy-dk5cz I agree. Well stated.

@donamills Год назад

Thanks for your content. Because of your explaning this over the yrs, I finally got my yubi key(s) several months ago along with setting up bitwarden and 2FA (at a minimum) l just wish more companies implemented hardware keys. Thanks again. 👍

@azclaimjumper Год назад

YubiKey is required for me to log onto both of my computers (I don't have a so-called Smart Phone) BitWarden, GoDaddy, Yahoo, Google, Tutanota

@gunnargu Год назад

Did not notice this in the video, these security keys work with the browser so that if a phishing site looks similar to the real website it still won't allow authentication, because the domain does not match.

@ShannonMorse Год назад

That's correct!

@PPNStudio Год назад

ProTip: Don't keep your key / security dongle in the same place as your devices. (If a thief steals your purse or laptop bag and the key is inside it, they now have access to your accounts.)

@Ghoul847 7 месяцев назад

set up a pin, disable key 1 asap in account with backup key. A thief would need to know your usernames and passwords unless you have it setup where you can login just using a key then you’re screwed 😬. You really do need a second key in case of doubts

@Counterhackingsafe Год назад

Wow, I am blown away by this post! The information provided is so helpful and informative. I never thought about it that way before. Thank you so much for sharing your knowledge with us. I can't wait to try out some of these tips and see the results for myself. Keep up the great work!

@krstnhkn Год назад

This video came at a perfect time. I've been wanting to get a Yubikey for years but never got round to doing so. Now finally ordered one, thanks for the $5 off! :D

@azclaimjumper Год назад

Do yourself a favor & follow YubiCo's STRONG RECOMMENDATION, go back & buy a 2nd Yubikey, incase you lose your first one.

@Destide Год назад

Just this week I have started gettng my team behind hardware keys great video to link if I start getting pushback.

@_BangDroid_ Год назад

You'll always get pushback, make it policy if you can

@vasiovasio Год назад

Great overview! Thank you, Shannon!

@TofranBohk Год назад

What happens when you lose the Yubikey or it gets damaged?

@BDBD16 Год назад

Straight to prison.

@jamesphillips2285 Год назад

You really need a second one stored off-site in case that happens. (Or tedious one-time passwords also stored off-site.)

@Tech-geeky Год назад

@@BDBD16 😆

@Tech-geeky Год назад

Making it easier in case one gets damaged is not my idea of security..... Each to their own, i guess, but the more we have as "backups" the less secure we will be when they are found. We think we know where they are till someone finds them. There is no solution i think.. Constant game of cat'n'mouse... The % of someone else getting access will be small, BUT its still there.

@Taikaru 9 месяцев назад

Fantastic shirt! As someone who stumbled onto the video randomly, that was quite unexpected. :D

@AndyBlackman Год назад

I picked a key up a long time ago. Didn't use it very much. Now I am changing my opinion. Now I just have to figure out how to activate it again.

@Decomas Год назад

You can go one step further and get it as an implant. The key pair is generated on the chip inside your body

@khayla_matthews Год назад

Really useful info. & I love your t-shirt! It's so cute

@ShannonMorse Год назад

Thanks so much!

@gblargg Год назад

Too bad hardly any sites support this kind of thing. Another version of this is something like Google's Authenticator. Run it on an old air-gapped phone. More things support this. A big problem with all these is account recovery, which uses alternate less-secure means. What happens if you lose the key or it gets stolen? How do you get into your account or stop them from doing so? If you can do either of these without the key, an attacker can do this to your account without the key. (I had to dumb this down because RU-vid was deleting my comment. I guess we can't discuss this topic.)

@bourne_ Год назад

Got 2nd physical key like a week ago (Kensington USB-C with biometric layer) and I love it. I was finally able to add key to Windows/Outlook account!

@therealb888 Год назад

I need this, couldn't have uploaded at a better time.

@juliusrowe9374 Год назад

Great content Shannon! Super informative too!

@rob-toolsandtech2521 Год назад

Awesome video, Snubs. I've been thinking about this more lately with what recently has come out with companies such as Tmobile and Bank of America.

@mihai-mcw 8 месяцев назад

To sum up the video.... 2FA is not secure.... Use 2FA instead....

@1sikteg Год назад

the yubikey code can still be intercepted on physical push. i tried this on myself in a browser while i had a prompt asking to tap my hardware device. if a threat actor is on your computer it can be intercepted.

@hiftu Год назад

Good luck using biometrics. You can not even change it If your access is compromised. (e.g. fingerprint copy) Which is a big no-no if you don't have human resource (military guard) checking the usage the interface (scanner installed at a door).

@kamertonaudiophileplayer847 Год назад

The physical device can be stolen, right?

@ZhouDynasty314 Год назад

wish I saw your code before I bought them, but I will send it to my friend so you get credit for helping us secure our accounts!

@networknightmares7744 Год назад

So hardware keys aren't 2FA? Confused... I thought they were a 'second factor'

@KevinTurner-aka-keturn Год назад

I'm trying to think through the scenario you described as the reddit compromise, which sounds to me like a mal-in-the-middle situation where the attacker convinced the mark to type in their TOTP code to the phishing site and then relayed it through to the target site in near-real-time. I watched the "debunking 5 myths", but this part still isn't clear to me yet: how does a key defeat that attack? does the protocol restrict the key from sending its response to a server other than the one designated for that account? How does that work?

@steamfox Год назад

I was a bit surprised this wasn't mentioned in the video since it seems to be what truly differentiates a FIDO2 key from for example an auth app or a "legacy" HW key. In my understanding FIDO2 protocol does protect from this type of attack, making it an "unphishable" authentication method.

@gblargg Год назад

@@steamfox How can they defend against this? The middleman essentially relays everything until validated.

@jamesphillips2285 Год назад

@@gblargg The middle-man uses a look-alike domain. So if the domain name is used in the challenge: the response won't be correct for the real website.

@gblargg Год назад

@@jamesphillips2285 How does the USB device know where the challenge is coming from? Just forward the authentic challenge from the authentic site.

@jamesphillips2285 Год назад

@@gblargg Without getting into the standards documents (Apparently U2F was renamed CTAP is how far I got), the browser must pass on the web domain as part of the challenge.

@acerhad Год назад

Thank you for your knowledge, I've been on the fence about getting a yubikey and your video did it for me. I got a mini already and I am thinking about getting a 2nd one as a spare and for my mobile devices. i am having some problems getting It to work but i am sure ill figure it out eventually.

@brianray8484 Год назад

Can you explain the difference between something like Yubikey and EveryKey?

@zionpsyfer Год назад

More great info. Long live Yubi. Thanks again for keeping us up-to-date on security news and info. =)

@myname-mz3lo Год назад

or any other brand that does this lol

@tjbrison 3 месяца назад

Try using a hardware key without a mobile phone. Big Tech wants your IMEI number for authentication and cross device tracking - locking down the individual to specific hardware. Then there are the number of companies that simply don't support hardware token based 2FA. I know of one bank that doesn't even alow complex long passwords! A small amount of research seems to suggest that the reason 2FA is being advertised and pushed isn't for your security. It's for tracking who you are and what you do - especially those companies who don't allow 2FA without involving a mobile device

@coisasnatv Год назад

Hardware keys are useless, try to lose one and tell that to AWS or any other services that use on of those to see what happens, it is a stress you don't want in your life. In my case, I lost all my keys in a flood that destroyed my home, do not trust security hardware, use a password manager instead.

@beauregardslim1914 Год назад

I prefer to use someone else's finger. That way I can keep it in a locked box in a secure location. 😆

@ShannonMorse Год назад

lmao wat

@Tech-geeky Год назад

😆 did i read that correct?

@beauregardslim1914 Год назад

@@Tech-geeky Of course I'm kidding. I'd have to keep them in a freezer and wait for them to thaw every time I wanted to login to GMail. Who has time for that?

@nathanielh8239 Год назад

I have a question/scenario what about when we have automatic login for discord or slack is there an application that can you sign you out automatically so it’s not saved when you login/boot again?

@the_original_dude 4 дня назад

In case of phishing the attacker would be able to login though that one time. So that would still be a successful targeted attack, they would be able to collect data and/or perform certain actions.

@ThorstenMerz Год назад

I love the colours on what appears to be the "Shannon Morse Edition" of the Yubikey, but it doesn't look like something Yubikey offer in their online store. What a shame. :(

@JohnnyMcMenamin Год назад

I've been nothing short of secure (and pleased) using my Google Titan key.

@digitaldeepak21 Год назад

Thanks for making this video. But is there a way for someone to take our Yubikey and duplicate it? And if it is connected to the computer all the time (like the Yubikey nano) then is there a way to simulate the "touch" remotely without us having to touch it? Would like to know more. If you can talk about it, it would be great. Yes I am convinced that Yubikey is great, but what makes it unbreakable?

@ShannonMorse Год назад

Hi! I mentioned cloning of keys at about 7:20 into this video 😊 you can also find the U2F standard info linked in my shownotes to read more about the in depth material on how this standard works.

@_BangDroid_ Год назад

It's only considered _unbreakable_ at this current point in time. Like all security technology, eventually it will be obsolete.

@johnhaller5851 Год назад

You can reprogram the key. It comes with a key, but obviously, Yubico knew it when it was programmed, and could program a second key. Reprogramming the key requires generating new random numbers. I have two keys I programmed myself, and the generation was done on an air-gapped Raspberry Pi. But then, I need to provide the public key I created to anyplace I want to use it. I'm not sure if using the same physical key for multiple web sites causes problems or not.

@_BangDroid_ Год назад

@@johnhaller5851 It may only cause you problems if you want to keep one account isolated from another, eg you use the same key linked to your identity as one you used as a whistleblower. In that scenario the public key will link the two accounts, if I understand things correctly.

@Xiellion Год назад

blaming user error on the software is like saying "Locks don't work because if you gave the key to a criminal they could open the lock"

@Felix-ve9hs Год назад

I somehow ended up with 8 (eight) Ubikeys, don't ask me how 😅

@zapman2100 Год назад

and yet none of these company's will ever allow these to be used with any product because they don't really care about your data and its security.

@michaelupchurch3779 Год назад

Great video thanks 😊 Shannon hope your well

@kushalraj Год назад

I want to buy U2F keys too but find it to be expensive. Hardware keys are still niche and competition isn’t there yet to bring prices closer to actual manufacturing cost. Maybe in the future there will be open source hardware token features and it’ll actually be affordable to use hardware tokens. Especially since you need at least 2 of them in case one is lost.

@azclaimjumper Год назад

Considering the security that YubiKeys is preventing my identity from being stolen, they are a steal. YubiKeys are the absolute cheapest, BEST bargain on Planet Earth.

@Prosanity0012 Год назад

Man, I was super hacked, May 29, 2023 and I just spent my first week trying to start a Reddit channel. Dang I didn’t know that every time I turn around and I see something else that could’ve possibly led to this hacker that I fought for three hours. He was had all my login information and all my emails and my phone trying to save my Apple ID and everything just a fail in the end.

@wavemakersdj Год назад

I would add as a massive one to these other attacks, what happened to the LastPass dev that they just revealed. Their devops engineers were using two factor of the Microsoft app request instead of requiring a security key. A keylogger installed via what seems to be a rogue Plex server download or Plex server insecurity copied the password on a the dev's personal computer and they pushed an MS app auth request to the engineer, who accepted it. Last pass says in response to that breach: "We enabled Microsoft’s conditional access PIN-matching multifactor authentication using an upgrade to the Microsoft Authenticator application which became generally available during the incident." What?! So now they'll look at running malware on the phones to get the pins. WHY NOT USE THE KEYS?!?! Yubikey auth would have stopped this one!

@ShannonMorse Год назад

I just read about that last night!

@wavemakersdj Год назад

@SME Pictures sure, but the difference is on the other side. Pressing accept on a prompt or having numbers flash on your phone is able to be seen/pushed/stolen by others without you doing anything if they have the right malware. Not the same for you taking a security key, inserting it into the device, and pressing the button. You can't screen capture or keylog that physical action.

@lowbar77 Год назад

Lastpass' day is over. I have moved on.

@xybersurfer Год назад

recently the Microsoft Authenticator app has started asking for a 2 digit PIN instead of just asking to accept, in most cases. the PIN is shown on the website you are logging into. when the request arrives at the app, then the app asks for the PIN to be able accept the request. i think that might be what they mean. this way you can't unintentionally accept a request that someone else made, because you don't even know the PIN that you are suppsed to enter to accept it. the attacker can't even spam you with requests because, and make you eventually accept to make it stop because you don't even know the PIN

@JediOfTheRepublic Год назад

LMAO, yeah that is on the Engineer who accepted the push not a flaw in MFA.

@srikargottipati Год назад

But the issue with most sites is that they let you bypass the hardware key easily, where you can choose the option to not use it, and then the site falls back to SMS or email code etc.

@ShannonMorse Год назад

Depends on the site. Some let you do that, some let you turn off backup options entirely. If you turn off the backup options though make sure to print out the backup one time use codes they give you during setup

@uptbug Год назад

As I sit here in my living room, nodding my head in agreement to the statement 'hardware keys are a must', I look down and notice that I am currently wearing my green and blue yubikey socks.

@tanked1313 Год назад

Oh thank God I thought I was compromised! I've had a yubikey for years!

@TheHeff76 Год назад

Shannon, I love my YubiKeys. What is that full callsign on the shelf? I'm a HAM Extra! And Ethical Hacker. Oh the fun we have on the air. LOL.

@animegirlsfan02 6 дней назад

The only downside with keys is, what happened if your key gets lost, key get damaged, or that copper works out?

@ShannonMorse 6 дней назад

I did a video about all of these questions! ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-kq1Kt__eVTU.htmlsi=coRfYNjUj-8n0rJw

@LiebsterFeind 9 месяцев назад

Yubikey (and all other hardware keys) *are* 2FA.

@alterechtjetzt4647 Месяц назад

Are you aware that you're door keys can be copied if someone gets to take a picture of them?

@ShannonMorse Месяц назад

* Your *. Are you aware I did a video about that 3 years ago? If not, go watch it! ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-IiOD5N4E8pE.html

@MissJaye11 Год назад

First thing I noticed was the Sailor Moon Tee!! Love it!

@lennyvlaminov9480 10 месяцев назад

I remember when Cubase went with a hardware key in order to use the software. It was via the serial port, brilliant right? Internet was flooded with codes/code generator sfor all softwares - Cubase included. At the end of the day there is a input of a/many string/int. I'm only a software, okay let's emulate that device. With that said, hardware keys are crucial for top security.

@xxX_420BlazeIt_Xxx Год назад

All these hacks have officially scarred me shitless. Time to buy a key.

@ShannonMorse Год назад

No need to be scared, just be prepared and have a willingness to learn. 💖

@josepablolunasanchez1283 Год назад

Even if you have these keys, if you allow your machine be infected with malware, bad actors can steak the session cookie and use it as if you had logged in in their computer. So even these keys are not safe. It adds an extra layer of difficulty.

@Raintiger88 Год назад

I would be using it, but most of the critical sites I use (like my banking), do not support it.

@circuitmasters5258 Год назад

Hardware keys can be emulated but it depends on what kind you use 😎 yubikey is awesome 👏 or nitro keys

@HappyQuailsLC Год назад

Sometimes fingerprints just don’t work so I wouldn’t want to be limited to needing it for validation.

@estusflask982 Год назад

Physical security keys are the future. Just like your car and house keys, you'll have a Yubikey to login to your accounts. Yubikeys could even be used with smart locks to replace your car and house keys.

@JediOfTheRepublic Год назад

lmao, Car and House Keys are becoming obsolete with smart locks. You don't need a key to open your car anymore, you use a keyless fob. You also don't need a key to start you car anymore. Your comparison doesn't make sense.

@LVRugger Год назад

How do you feel about authentication apps? My employer requires us to use one and that seems similar to me.

@Dobbo314 Год назад

I've been think of getting a Yubikey to protected by BitWarden vault, but the question I have is how do I set things up so if I lose the Yubikey how do I get access to the vault?

@ShannonMorse Год назад

Hi! I answered this in my previous videos, 5 Myths About Yubikeys. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-vjTA6DeD9y8.html

@Dobbo314 Год назад

@@ShannonMorse Thanks. I must have missed that video - will go watch now :)

@Macleod1617 Год назад

Its best to buy 2... 1 is your primary & 1 is backup in case you lose the other. Keep 1 in your safe or somewhere secure.

@Dobbo314 Год назад

@@Macleod1617 @ShannonMorse Thanks for the help. Just placed an order for two Yubikeys.

@gothparadigm Год назад

thank you so much. i definitely intend on getting one soon. 🔑

@justicebrewing9449 Год назад

its essentially a key fob. used in enterprise application since.. well I had them in 2001, so before that :)

@AnthonyGoodley Год назад

The fact that Twitter is forcing users to to either pay for Twitter Blue or else you must remove 2FA is unbelievable.

@dj_chateau Год назад

This is not true. Twitter is only forcing you to pay to use SMS 2FA, not other forms of 2FA. TOTP and hardware keys are still possible for free.

@AnthonyGoodley Год назад

@@dj_chateau Thanks for correcting me. I will research this further.

@dj_chateau Год назад

@@AnthonyGoodley You're welcome! Don't feel too bad about this one. When Twitter announced it and put up the alerts about it, it was so badly communicated to end-users that many of them would have reached the same conclusion you did when it was spelled out right to them. This led to a large amount of prominent Twitter users misunderstanding and reporting what you just did, which snowballs and propagates that misinformation. I think the other reason it was so believable was the logic that people wondered why Twitter thought people would want to pay for a less secure 2FA option. Which is a fair question. Why would they do that? It came down to cost-cutting to lower their bill with Twilio whenever any user would use SMS 2FA and most users not understanding the distinction.

@NtWarlock Год назад

(Timestamp for me) 1:43 username + password 2:15 biometrics 3:12 2FA 4:03 Hardware Keys

@ShannonMorse Год назад

Thank you so much!!!

@AT-os6nb 8 месяцев назад

For all those who haven't seen or subscribe to the alliance for Responsible citizens check it out. A great start to ARC..... Thankyou Jordan Peterson and all the others involved in bringing this alliance to the world. This (ARC) is what we desperately need. Genuine facts and leadership. Now it is up to us, the public, to do our part. Spread the word, help grow the "Alliance for Responsible Citizenship", and do YOUR part to help bring about a better more positive world for all of humanity. Put an end to the distopian vision offered by the elites of Davos and the WEF gang. Bring individual Freedom and responsibility back to the forefront of a free and prosperous society. Thankyou.

@murph1329 Год назад

Developers need to be able to tap into the TPM module for security checks. It would accomplish the same thing without the need of a lanyard of hard tokens.

@mumbles1justin Год назад

I curious if theres a disadvantage or concern that should be considered when using the “Onlykey” over say the yubikey?

@techadsr Год назад

Overall, great video. Industry needs more adoption of these hardware keys. Just one nit though. The pattern unlock is not really behavioral authentication.. yeah, maybe if they implement it with more than just detecting which numbers were touched. Behavioral auth to me is more the like the key cadence measurement and mouse movement with detected reaction to small movement interference. They could do that with the number swipe pattern but how many implementations do that?

@JediOfTheRepublic Год назад

No we don't. The industry just need to use proper MFA practices.

@_BangDroid_ Год назад

Wasn't passwordless authentication all the rage recently? How does that fair with security keys? If someone steals your wallet/purse/keys and gets your security key, now there's one less authentication factor so a breach is even more probable.

@VincentGroenewold Год назад

It's never watertight, but this makes it way more unlikely. And if I loose them, I will immediately take action.

@TheSzalkowski Год назад

I may be out of date but a yubikey is essentially just a tiny keyboard that inputs a long password when you touch the button. It appears to be the same all the time and is not a rotating code like some tokens such as RSA.

@ShannonMorse Год назад

Incorrect. The yubikey comes with multiple security functions, or "protocols", to implement 2fa on whatever websites you're visiting. If a website only uses OTP, then that's what the yubikey will do. But more and more websites are implementing FIDO2/UTF instead, which does NOT print out any code. Check the link in my description or Google fido2 white paper to see more.

@TheSzalkowski Год назад

@@ShannonMorse Thank You , I will look into the new ones. The yubikeys I have are from 2012 time frame.

@hugoedelarosa Год назад

The thing I cannot stand about Yubico keys is that they are expensive but are not made out of durable materials. I carry one in my keychain, and it is all scratched up/beat up. It is becoming less reliable as it is not detected right away by my computer when I plug it in (it takes a few attempts)

@NWforager Год назад

good to set up a Voice Mail PIN too .

@AndyZE123 7 месяцев назад

I would like one, but they are almost impossible to buy in the UK.

@OH10mm Месяц назад

So I have a question. How do I incorporate Yubikey with FIDO 2 protocol so that if something were to happen to me, my spouse could still gain access to accounts?

@Tech-geeky Год назад

As much as i like the "push" towards "new" technology and trusting Them to do what we [users] cannot do, its a fundamental failure... always has been. There is no one size that fits all. I would rather trust myself over any tech you try and think is better.... Education is and should be, the only thing that matters.

@ZiggyDaZigster Год назад

What about stealing the key the validates your fingerprint. Not the finger. The auth that validates it.

@BlenderRookie Год назад

If you have multiple computers, do you need a seperate key for each device? What happens if the key stops working or is otherwise destroyed?

@azclaimjumper Год назад

When paired, the same YubiKey can be used to log into multiple computers. If the key stops working you are screwed UNLESS you followed Shannons advice & YubiCo's advice & buy at least 2 Yubikeys.