How Does a Hardware Security Key Like YubiKey Work? 

some of these keys can also use NFC. i also worried about the same

I’m a sys admin and we will be enforcing 2FA for all our users. A contract for security keys will be signed and we’ll be supplied with the amount we need plus backups. If a user loses their key it’s no problem our administrators will reset their 2FA and allow them to set up a new one.

Un phones you got nfc or buy one for laptop or just a dongle for your usb so the replasable external is the one to wearout

Lol, lots of people do talk too fast in these sorts of video don't they?

It's not resetable, but I'd reach out to Yubico (the manufacturer) and see if they have any advice.

They don't work with Google, and most banks don't support them either. For the most part they are a waste of money. Even for a Windows login, you can just bypass it by entering the correct PIN.

@@richstilke1227 My YubiKey works quite well with Google. I don't consider it a waste at all. (Yes, you do have to ensure that you haven't set up alternate mechanisms if you want the YubiKey to be the ONLY way to ID. You can turn off the PIN if you like.)

not possible.

They are engineered to be very difficult to clone. In addition, there's a counter incremented with each use. If a cloned Yubikey is attempted to be used, the counter will be compared. If there isn't a proper match, the key will be invalidated.

@@neuideas enforcing the hardware counter is not a hard rule in the specifications. it's up to each provider of the service to decide

Timestamps is a part of the validation so a copy will have a different timestamp and it will not be working. There is a chip inside, that cant be accessed. It is like a secure enclave.@@neuideas

Typically, no.

Only if they ALSO know your password. As soon as you notice your YubiKey is missing, sign in to your account (using a backup method also set up when you configured the YubiKey), and then remove the YubiKey from your account.

You can buy a lighting and or NFC versions. But Yubikey is limited on what you can use its for 2FA, its only my emails and password manager that I can use it for. IE not every website that has 2FA lets you use Yubikeys.

They have NFC

Thanks

If you are confident in your recovery methods, it is not unwise to remove weak authentication methods like SMS and poorly secured e-mail (whether it's on the users or e-mail services end).

@@killer2600 Right, thanks!

Doesn't make sense to have Yubi and leaving email or SMS 2FA on

Please correct me if im wrong, Other methods are only compromised when they are being used.

@@Our1stPlanet Impression I had was that they were for backups. I.e., you use the strongest 2FA (Yubi) until you _have_ to use one of the others because you lost or damaged your key

Not exactly. There are techniques that require you have a specific file that can eb stored on a thumbdrive, but it's not at all the same as what a YubiKey does.

@@askleonotenboom OK, for me it's to expensive to buy one 60£ is not cheap and a good usb drive I can get from SanDisk for 20£ or even cheaper,depebd how much GB it needs. 🤔

​@@WaschyNumber1Its not about GB, its about how its built: the encryption and tamperproof.

Yubikeys look like usb thumb/flash drives but they are not nor will they appear as a drive when you plug them into your computer. They are more like smart cards, the kind you may have seen on your credit/debit card albeit you can't plug your credit/debit card into a usb port.

With SIM swapping they don't actually take the SIM from your phone, they just get your phone company to send a new sim for your account to them. SIM pins only lock the sim card you have in your phone, they don't have any effect on the new SIM your phone company sends to the perp.

@killer2600 - I'm aware they can't physically take the SIM from a phone in a SIM swap- however, as I said, the SIM PIN is associated with your phone number so they cannot use the fraudulent SIM to access your phone details on their device, as they will require a PIN. (I have a SIM PIN lock and everytime I switch my phone off and on again, I need to type my SIM PIN to get back into my phone- (it would be the same for a bad actor who swaps a SIM as the mobile number is migrated to the fraudulent SIM).

@@Summerbunny15 SIM PIN stops your SIM being used in another deivice. SIM swap is when the criminals obtain a clone of your SIM

I don't understand what I am supposed to imagine. Please explain. Okay, first my lawyer visits my family, then which is "them" and which is "they?" Are you saying my lawyer had the key and gave it to my family; or are you saying my family had the key and gave it to my lawyer? And why? The speaker in the video didn't say anything about all the passwords - where are they stored? Are you saying they are in the key? Or are you saying that with the key the family won't need the passwords? And is your scenario going to cause an argument amongst family members as to who gets the key? Or gets what? I thought the key only did 2FA not passwords.

I'm not sure where you're getting "more insecure". Hardware keys are more secure. Most current 2FA are two factor, even if you have to unlock your phone. 1) What you know (your password, AND your phone PIN), 2) What you have (your authenticator app). It can be seen as three factor if your phone unlocks with fingerprint or face ID (what you are).

So you are accepting that a person who steals the key and guesses the password can access your account. With the phone, they would need your fingerprint or face as well (the '3rd' factor) And stealing this HW key will be much easier, since: 1. People will leave/forget it plugged into their computer out of laziness or convenience. 2. The nano keys do not have a key hole, so no way to 'tie' them with your car/house keys for protection. How is that not more insecure ?

@@TheSolderingGuy007Those all seem like very low probability and easily avoidable events. (And remember, NO solution is 100% secure. No such thing.) More commonly people fall for phishing attempts, which can include catching 2FA codes from a phone in real time. A hardware key is impossible to phish - you need actual, physical, possession.

@@askleonotenboom not convincing. but thanks for trying.

There are 3 factors of authentication of identity: 1) Something you know e.g. password. 2) Something you have e.g. phone. 3) Something you are e.g. Fingerprint. Being able to unlock your phone with a pin/password makes it only 2 factor not 3. A password + a device + another password is still only needing to know your passwords and have your device which is 2 factors out of the 3. The risk of losing a Yubikey is lower than risk of your always-connected phone getting hacked with a zero-day exploit. Because of the convenience more people are exposed to internet-based hacking and over the phone/email scams everyday than they are to in-person theft. So physical items not connected to the internet are inherently more secure from those that we are most at risk to everyday. As for accidently losing a yubikey, it's a 2FA device which means it's one part of an authentication that requires two parts. The "new owner" would only have one part and wouldn't be able to log in presuming they would even know what accounts are associated with their new found key. TL;DR: Physical/offline security is vastly better than anything you do with your always connected to the world wide web smartphone. Even the best hackers in the world are foiled against a paper document laying on top of my desk - just can't quite make that last connection.

You may not have to enter a password for the key. (At least I don't). And YubiKey is just my example. There are other secure keys out there.

For YOTP (Yubico One-Time Password) you don't have to enter a password. And why not just a FIDO security key? Because FIDO doesn't work across interfaces/connections that only permit keyboard character entries. That's where TOTP still shines and where YOTP was a hardware token game changer - with either OTP method one can implement 2FA in any interface that takes ascii keyboard characters.

Yuubikey 5 series is Fido compatible

If they have physical access, that's your mishandling, not theirs.

Would you give someone your house key?