I've recently been researching U2F and FIDO key 2FA solutions, including getting FIDO2 key and starting to use it last week. This was the most direct and useful explanation of what the protocol is and how to utilize it that I've yet found, so THANK YOU! The confirmation that FIDO is a ubiquitously supported open standard under the purview of the W3C was especially reassuring!
I'm carrying an elder Yubikey for approximately 10 years on my keychain with no problems. So I would say, these things are really durable. I can't say anything about other brands.
Something I didn't know until recently, is that even if the Fido key is duplicated, there is a counter added to it. If the counter doesn't match expectations, the authentication fails, and the key is voided for that site.
They'll only do it once regulators require it. Majority of financial institutions implement new security protocols only when an auditor or regulator threatens them. Speaking from experience having worked in IT for financial institutions.
In many parts of Europe, banks and institutions require their specific app to do anything, which is a PITA as they suck. they should be forced to allow hardware tokens
You bother ti check with your institution? Bother to check any institution? Yes I'm talking down to you because many institutions have supported tokens for years.
Yes and no, FIDO2 is an extension of FIDO to allow it to be the only authentication method for "passwordless login", I prefer actually having 2 factors.
In Australia, the Australian Tax Office uses push notifications for 2FA. If it's a new device without previous history of login to the account, the push notification has a 2FA code, if it's an existing device previously authenticated, it's an "approve / deny" push notification
I really hope this does get widely adopted, and I've been pushing it for a few years now. In Canada it's very common to use SMS messages for MFA, but because of phone number porting laws (designed to make it easier for consumers to switch providers), it is somewhat trivial to steal someone's phone number (SIM swapping attack). Yet most banks and other large institutions here continue to only support SMS as a MFA method.
CIBC supports using their app to receive a push notification to approve a logon. But I’ve been locked out when the stupid app wasn’t processing the push notifications properly or the backend was messed up.
That is horrible. They should make you bring proper photo and other forms of government issued ID with you and make you come and do it in person. Really It should be a law that they must provide options for Yubikey and FIDO authentication.
Starting to roll these out for AAD and WHfB at work. Very cool stuff. Our users will love this vs. TOTP or number matching with push notifications. Still learning the differences between FIDO2 pwdless and smart card auth. More reading to do :)
You can control Fido key registration through an IDM solution like Microsoft or OKTA from an IT level, so you can issue keys to employees from the security team side of things.
I bought a Fido key & had it for well over 1 year & didn't start using it because I thought it would be difficult to setup. I was wrong! Easy to setup & use plus no I have the peace of mind of 2FA 😀
Helpful information! Maybe do a video on a breakdown of FIDO and U2F, as it's a common confusion point for people. One being a protocol, and one being the implementation of the protocol.
Seems like the banking industry only uses email or SMS 2FA. Can't use Yubi or Trust at any institution handling your 401, savings or checking accounts. Wonder if this will change anytime soon?
1:32 - one way to stop notifications on android is to force stop the mfa application itself. can't push notifications is the app itself isn't even running in the background. :D
I haven't read about the full implementation details of Apple Passkey yet... But I'm going to guess that Apple turns it from a wonderful Passwordless Utopia into an Apple 'Walled Garden' ™ so that the only way to use it is on Apple devices (no export/integration/whatever the correct term!)
@@DerekGreen123 per my review - its just WebAuthN w/ FIDO2 via TouchID/FaceID - so pretty much using the Secure Enclave like the USB key. I think it will be a good thing because it will make customers want it - Apple has a way of steering consumer demand a lot more than many other companies.
It's this and also "Passkeys" that are going to use your iPhone's secure enclave, or other type security hardware on device to use your already built in TouchID / FaceID / Windows Hello that prove that you are you. We are moving towards a passwordless future as a whole.
The Rube Goldberg machine marches on lol. This system isn't going to fly with most normal people. Already picturing getting multiple calls a week "hey I lost that USB thingy you gave me and I cant sign in anymore.....". Honestly would be better to just make it so the system cant send more than 1 push notification in a 10-20 minute period and make it so users have to unlock their phone and actually look at the request before being able to hit yes. If you think the people that cant even handle having a unique password for every service can handle not losing their magic USB stick, IDK man.
Currently I use KeepassXC's TOTP feature as it's easy to click on it to provide the code. Plus I can sync the database to my NextCloud as backup. I'll be looking into FIDO2 compatible keys to see how well it works with KeePassXC.
UPDATE: Latest version of KeePassXC now offer Passkeys which provides the same function as the FIDO2 key. The plugin for the browser is not enabled by default.
it's worth mentioning that all modern smartphones support webauthn and authenticate users with their fingerprint or face id, which removes the need for the vast majority of people to purchase additional hardware
Yubico has TOTP as well in its newer keys so I use that as well. I don't do push notifications because of the inherent tracking built in to the apps especially Googles app. I use a hardware password manager, Mooltipass, that includes Fido2 and TOTP for one stop login. Backups are essential so that is a downside.
The Mooltipass looks cool but I can't tell from their web site how the user is expect to carry their smartcard as it doesn't appear to have a hole for attaching a keychain or lanyard. Do you keep yours in your wallet?
1 - IF there is a flaw within the firmware/protocols (there will be, nothing is perfect) you would need to replace millions of those devices, with the cost and it takes time 2 - Replacement for failed devices Software solutions are always better because of their flexibility, besides (some of) the code could be peer reviewed. Nonetheless I do like the Yubikey/Trustkey, security benefits afterall.
I don't see myself using these kinds of thingamabobs. I don't want to carry even more stuff around with me, I don't want to have to manage multiple physical sticks and I don't want even more small items that are easy to misplace and/or accidentally drop somewhere. It's a good point about the push notifications, but none of the services I use do that, so it's not an issue for me.
What's the opinion on Microsoft's authenticator? It uses push, but also asks you to select the number which is displayed on screen at logon - still not fool proof, but helps avoid inadvertent 'allow' taps. I would love to have physical keys, though they can still be costly 😬
Why use push at all if you need to read off one device and type into the other? Just TOTP. Oh, and my yubikey as well as fido is storing my TOTP tokens.
My issue with the MS authenticator and the Google authenticator, is they can withdraw the app/service and then you are stuffed I'd rather have the total control myself, in a Yubikey
Companies that aren't using WebAuthn are asking for trouble. The SMS codes can be an option for the uninformed but WebAuthn should be standard. It annoys me to no end that one of my CC banks doesn't have any 2FA options. My password for that service is over 100 characters to avoid being hacked.
The thing I don't like about these keys is that I use multiple machines at different times throughout the day in geographically different places. If I "forget" a key at home, and go to work, I'm turning around to have to get it. If I'm at home, upstairs, and my key is downstairs, then well, guess I'm moving my butt to get it. I'd either need a key for each machine, or, move the key around to each machine which starts to give to physical fatigue of the port and keys. Also, one of my laptops has a limited number of USB ports, so I'd have to unplug the keyboard or mouse to use it, or get a hub which is just more garbage to haul around and keep track of. (I'm generally not a fan of laptop keyboards due to their size and positioning of the keys, or, lack of keys (Numpad)) Keeping the key with the machine itself, if you lose the machine and the key, then what? Just to "touch" the device isn't enough. Fingerprint recognition on top of just a touch would be much more of an asset, but again, because of geographical differences at any point in time still kind of gets me in the "not subscribed to the idea" feeling. If this were to be something to be had on my phone, which goes with me everywhere, hard to misplace or drop and eliminates physical fatigue, then I'm in. If what I need to "log into" is sufficiently separated from what my phone would need to authenticate for, that's fine by me (IE: The phone only answers to requests from external access, but, doesn't have any knowledge or ever has been to what is making the request for login). If I'm being hammered by authentication fatigue, and I'm not making the requests, I stop the notifications from showing up on my phone for a period of time, or, I go and start resetting passwords so 2FA doesn't get to me.
and never mind the problem of adapters because laptops now only have usb-c ports. In general the idea of having your users carry a physical thing is just not going to work.
I love my FIDO key, because it has the TOTP codes and FIDO2. I wear my key on a necklace that I pretty much never take off. I can use it on my iPhone XS with NFC, my PC with the USB, and have all my codes and authentication there. Plus, Apple now has their Passkey, which I'm pretty sure is just Apple branded FIDO2. Once Apple does something, it becomes a universal. Give it a couple years, and most main-stream sites I imagine will have at least partial support for FIDO2 passwordless authentication. Microsoft already has this, and it's genuinely handy.
More complexity, more training, more user error, more time involved in access, more time involved in support and diagnosis, more people involved just to do something simple... This, just like MFA, is just adding more to the nightmare that is being an IT tech. Most end-users can't even manage clicking a button when their authenticator app pops up showing a code or just asking for approval. They'll look you dead in the eye and say they never saw something pop up, or that they have no app (that they have used daily for years). And new clients, forget it. I had to do 7 layers deep of account recovery and MFA enabling recently just for one new client to finally setup their Outlook on a new laptop. It's getting to be impossible to function, as an end-user but especially as their support. It's not sustainable nor effective to just keep adding layers of authentication, especially when the primary vector of attack is user error. Taking it all away would be less secure, sure. Just the same as removing people's access to cars would prevent car wrecks. There's a point where ability to function is hampered too much in order to boost security, and MFA is already itself too far beyond that point for most people. Heavy duty MFA, Fido2, etc to access your crypto key device that had its own multi layered security, sure... But all that just to access Microsoft Word, some video streaming service (which is where it's all headed), or to help end-users as a support tech? It's f*cking bonkers.
Man, you click your own device which supports fido2 (i.e. iphone or windows) and it uses a key per domain, you do it everytime you log in, no text or pop-ups required
As an IT Manager, I'm currently struggling getting staff to buy into just MFA. I have total buy in from Sr. Management, but even then some staff refuse to take part. I need a good strategy on how to get staff to buy into FIDO (which I and my whole IT team use), but its more challenging than it sounds.
I just turned it on for everyone (management approved). The users that phone the helpdesk relentlessly because they can't log in? Too bad, get with the times.
@@adamzan7 that's what I did. Guess what? You want a job? You're gonna MFA like everyone else here. If you have that buy in from management you're good to go. Surprised to hear Northern-Light's IT doesn't want to use it? What IT guy out there worth his salt doesn't do this in these times? What rock do they think they can work under and not have to MFA anymore?
If they refuse to use MFA, that means they can't do their job. Fire them. I've worked at a large company that rolled out waves of MFA. You don't get a choice. The systems enforce the requirement, and eventually, if you want to be able to do simple things like read your email, you need to have gone thru an MFA enrollment.
Windows Hello, Android and now the iPhone and MacOS have this built in. Users do not need keys. FIDO now supports multi device key sharing. Apple implemented it Google and Microsoft should have it soon. Even with slightly less security guarantees they are better than most current MFA solutions. Also the operating system keys are 2FA by default. They are an authorized device and a biometric or a pin.
the compamy i work at has decided that all users that have admin rights in our man program suite has to use a yubikey for autentication. all other users must atleast use a push notification style authenticator, but if they want and ask for a yubikey they can have one. i fond this a good compromise. i have already recieved my yubikey and im happy with it so far.
My only complaint is it assumes the user has affordable access to secure hardware tokens. The technology can't really scale until products like Yubikey are as cheap and common as average USB.
Using google account here. Already have 2 step set up for my Authenticator app. When going to add a security key it asks to enable passkeys. Why is this the only option?
Great vid. Frustrating how difficult it is to have multiple keys on some services. Or even swapping to jus the key and not a Google or MS app as well without disabling MFA.
@@LAWRENCESYSTEMS Looks like you found a topic for another video? ;) I'd never heard about this before and I suspect I'm not the only one, but looking into it, the idea does seem pretty neat.
It can be safe with a phone. The national electronic ID in my country (a specific app/program, that you can only get by authentication through a bank, since they have the strongest security already), will show a QR code on the screen, and you will have to use the phones camera to show that you login on the system you claim you are using. To make it even more secure, banks and other sites that need the best security, have started using rolling QR codes (the QR code changes every second). In other words: 1. You have to open a bank account in person. 2. You have to access the bank with a 2 factor identification device (You log in to the bank, you login to the device, you get a code from the site, you type it in to the device, you get a code from the device that you type in to the site. And even these devices is being replaced with models with cameras and QR code systems). 3. In the banks site, you chooses to get a digital ID. You sign the ID with the method mentioned above. 4. Now you have an ID that you can login to and authenticate, that you are who you claim you are. Obviously if you get promted to authenticate something, that isn't correct, you can't. Because you will not have access to a QR code (besides, you should never be prompted to authenticate, unless you initialized a login to a site/service, in the first place). The digital ID expires every few years, but you can login to the bank and block it at any time and get a new one, if you forget your password or you think that you have been compromised, or you get a new device (phone, tablet, computer). Forgot to mention, that another way that this is used, is to identify yourself in phone conversations (to prevent social engineering). You will call a company or government agency and they will send a signal to you Digital ID, and you will have to authenticate before you will be allowed to have a conversation with them. That way, they know that you are who you claim you are.
What happens if you have a VPN? Is this for logging into my desktop, notebook, and so on? I have been hacked, ransomware attacked, particularly anything that might be considered banking. Do you have to install an app on your computer? I have to stop this disruption from attacking my finances! They don't even care if you are a senior citizen (in fact they target seniors).
What about this compared to something like Trusona? That sign on method makes sense to me and I like It as it doesn't require additional hardware. If you are familiar with Trusona, how does the security compare? Probably not a simple answer, sorry. I'm on board for more security, I wish something would get widely adopted soon.
Is there any good reason to have super strong authentication security on Wordpress... as every few months there will be another huge security hole allowing it to be compromised? /s 😝
@@DerekGreen123 The core Wordpress installation has had few if any CVEs that don’t require a user account on the site to exploit since late in version 4’s development cycle. Given the current lack of “drive by” exploits, securing the user login significantly increases the security of an up to date Wordpress site. Moving to PHP-FPM instead of mod_php has also helped significantly as well.
Some thoughts: (1) you can 3d print enclosures to help keep these from getting too banged up on a keychain, there are designs on thingiverse and printables already; (2) I don't understand how MS hasn't implemented FIDO2 over RDP yet (AFAIK); (3) it's frustrating that more modern sites like Paypal only allow a single hardware token and less-modern sites like most financial institutions don't support them at all; (4) also frustrating how many sites require you to have a less-secure second method of authentication, totally degrading the security hardware tokens provide. I want FIDO2 and only FIDO2 and I don't want sms OTP but some sites don't allow that.
Why would someone NOT raise an alarm if their phone gets a push and they are NOT the one logging in!? 😯 Maybe that's part of the reason there are beaches. 🤦🏻♂️🤣
The biggest down side of these keys, is that most website only allow to you to associate a single key. I have 4 systems I often use for my work, I a PC at home and work, I have a phone and a laptop for emergencies. Keeping your fido key at you at all times is very hard. If you forget it and you need instant access to a system because there is a major issue, you can't do anything. I rather get hacked than loose a client because I couldn't solve a simple issue because I was unable to locate my fido key. We all know that emergencies don't have a 9-5 jobs...
Meanwhile in norway they decided to redo our most used auth system from a sim card application to a push based phone app... And not support anything else.
My boss doesn't think we need FIDO2 since we have AAD and SSO for most everything with Conditional Access policies to restrict access to AAD-joined devices only. I tried making the zero trust argument and benefits of FIDO2 vs TOTP or Duo push, no dice...
Can you explain why some security keys work on U2F and WebAuthn sites but not on FIDO2 sites? eg. KeepKey for example works on most U2F sites but it won't work on say ebay which uses FIDO2. What is the implementation missing that prevents it from functioning on sites using FIDO2?
Not sure I like the idea of the authentication request to be tied to a host. If I have a replacement host then I will never get that authentication request and I am then locked out.
I really love this tech but the problem is usability. I have a older low-end Android smartphone that has no NFC or similar (the only external connection is a single micro-USB for charging). How would I use one of these keys to log into my bank on my phone?
If you can't/aren't willing to part with our phone (which I would suggest at one point to make life easiest). I would look into an authenticator app if your bank supports it. Isn't as good but still strong
@Zachary I don't have the money for a new phone. Not that it matters since my bank doesn't actually support 2FA at all, I was more commenting on the fact that there are many instances when using this tech might not be possible and therefore it isn't the magic bullet answer for hacking/phishing/etc.
I just don't see what the benefit is versus using TOTP - I hear about it being more convenient, but I literally just have to tap my finger on my phone then open my TOTP app. It takes me and extra 3 seconds compared to a key... and I'm far less likely to lose my phone. Is there something I am missing / not getting?
plus if I use say LastPass Authenticator or Authy - I can just have the app on another device in case I do lose my phone. My phone itself is finger and PIN protected as is my backup device. Obviously if someone cracks my cloud credentials I'm stuffed but they'd need my fingerprint and phone PIN to do that anyway... If they can get in there, they can get my USB Key as well...
Is there a software emulation of a FIDO2 "key"? Seems like there could (should) be... I recently uninstalled the okta authenticator. I switched to using TOTP codes (such as generated by google auth instead). I have not yet accidentally clicked "yes it was me" in response to an okta notification, but it would be easy to do. I'd rather deal with the 6 digit codes.
Do rhe trust key or thetis key "update"/ "phone home" like yubico does? I don't trust that. They shouldn't need to if they gave the fido algo installed so its nefarious. Anyone examine the packets they send even or everyone just "trust?"
Most people become preteens when it comes to security. I'd put TOTP mandatory for every service and please... PLEASEEEEEE.... stop asking a cellphone number in the way (especially in a Workspace owned domain)
i would say - if you not login anywhere and see the auth request - its a flag that someone trying to hack you. is there idiot who press yes if he is not the one who login?
still have rsa key fobs for some access however most companies have moved away. curious how you plug this into a mobile device and authenticate - noting that self authentication on a mobile is well almost useless.
that doesn't solve the problem first explained, it just silences it (meaning someone could still spam it enough to make you touch it at the wrong nime, ie: trying to log in yourself, and auth them by accident)... a cooldown in requests per machine would solve both problems...
As far as I understood from the video, with the FIDO2 standard there's almost no chance someone else can submit a challenge notification to your device - and this is the difference.
Hi Tom, great video. How would you support this as an MSP? Is there a one ring to rule them all in the spec? Seems great for an individual what about support as a MSP?
@@LAWRENCESYSTEMS yes, but what happens when they become standard? How would / could you support this as a business for an end user if this was their default auth?
I use Yubikeys and Windows Hello. My opinion is that Windows Hello is the way to go (IR Cameras specifically but a high end fingerprint scanner can work too).
TOTP authenticators for 2FA like Google Authenticator are a rolling number generator., which i use everywhere that allows them. they're inconvenient but secure. UB or FIDO will be my next upgrade.
I turned the notifications for 2FA off, they are just silent. When I want to login, I start the app. But I've never had event when I would receive notifications - not that interesting target :)
Disclaimer: I don't know and genuinely wonder... What about race conditions? If I have access to the computer the key is used in, and my background software is trying to login on another service with their credentials at the same time? I know it is more "ifs", but a virus-ish could dump your bitwarden database every day if they only got your username and password once, as long as they time the blink with another login (like a VPN connecting) that could make the user not think twice.
Implement hardware 2FA for regular clients of the bank is a very luxurious expense. Joe's 25k$ aren't worth that much of a expenses if a sms 2fa is getting job done.
i love and hate yubikey its honestly super easy to lose and having it in the pocket can trigger NFC on my phone if i forget to lock it, on other hand they are much more convinient then TOTP on phones. i hope we could reliably achive same thing with phones or a component of phones as we tend to have them on us, push notifications for auth are generaly bad but i think microsoft does them well with pick one of 3 numbers system, imo its good alternative for general consumer better then nothing but not as annoying and complicated as TOTP
Windows 10, iOS 14, and some recent version of Android and OS X all support acting as a FIDO key. However they only support the built in authenticator role. None of the computer side operating systems support FIDO over Bluetooth LE. Get that working or more NFC readers in computers and a phone could function as a roaming authenticator. Roaming Authenticators are the NFC, Bluetooth, or USB dongles per FIDO spec. Built In Authenticators are provided by the host operating system per FIDO spec.
I much prefer the TOTP over pushed notification. I find it more convenient, less intrusive and more secure. I've been wanting a yubikey since the first one came out, but that was always a big budget for a key that only a dozen of the sites I use support. I wished my company would switch to something like that, but they wont, even though I keep nagging them about it (and other security improvement for their infrastructure). Some day i might ask for a transfer to the IT department and implement those myself, who knows...
Duo also supports YubiKeys, you don't have to use their app and push. That means they can bring YubiKey functionality to all SSO (SAML and OIDC) as well as workstations, VPNs etc even if they don't natively support them. You can also set policies up to select which apps require only a YubiKey and which ones can use push. This also gives the IT team the ability to fall back to push/bypass for users that do lose their key, and central management where they can disable a lost key on all accounts.
Yubikeys are great! I think the most pressing matter for Identity Security is what to do when the threat is already inside. I recommend looking into products that can prevent the threat from lateral movement and minimize blast radius. A product called Silverfort can protect organizations from that, especially on legacy apps and on-prem solutions that don't support FIDO2 (Silverfort can extend your FIDO key usage).
I'll switch only when recovery key can be issued along original that is able to disable original and take its function without reconfiguring every website (plus issuing new recovery key in the process)
