I Visit Yubico's HQ to investigate the security of 2FA keys

Подписаться 308 тыс.

Просмотров 16 тыс.

50% 1

Can we trust the security companies that help us lock down our online accounts? Josh visits the headquarters of one such company in Stockholm, Sweden to expose how they operate and why we should - or shouldn't - use their products for online security.
*This video is NOT sponsored*
▶ Watch the full interview with the CEO here: • Yubico Interview
▶ Get your own YubiKey security key ($5 off): yubi.co/all-things-secured-2024
If you care about your personal security and privacy online, download my free security checklist here:
✅ Security Checklist: www.allthingssecured.com/secu...
🔹What You Should Watch Next🔹
If you want to continue building better security for your online accounts, here are some videos to help you understand the best tools to use and which accounts should be locked down by 2FA security keys.
✅ 12 Privacy & Security Tools I use EVERY DAY: • 12 Privacy & Security ...
✅ Which 2FA Key should you use? • How to Choose the BEST...
✅ How to set up a 2FA Key: • Setup a 2FA Key for MA...
✅ 4 Critical places to use your YubiKey: • 4 CRITICAL Places to U...
🔹🔹Support All Things Secured (Recommended Tools)🔹🔹
If you enjoy this kind of practical security and privacy content, one of the best ways you can help support this channel is by using these affiliate links to our favorite products and services. When purchasing through these links, you not only get the best available deal, the companies will also pay us a small commission. Thank you for your support!
✅ Recommended Password Manager: www.allthingssecured.com/yt/1...
✅ Recommended Identity Monitoring: www.allthingssecured.com/try/...
✅ Recommended 2FA Security Key: www.allthingssecured.com/yt/y...
✅ Recommended Secure Email: www.allthingssecured.com/try/...
✅ Recommended VPN: www.allthingssecured.com/try/...
*********************
Video Timestamps
*********************
0:00 - Visiting Yubico in Stockholm, Sweden
0:35 - Who is Yubico?
0:52 - How a YubiKey works
1:31 - Can you trust Yubico?
3:33 - Are YubiKeys secure?
5:37 - Final Thoughts on Yubico
3:04 - Summing Up Disadvantages
3:22 - The Value of Trust with VPNs
4:30 - Mozilla VPN Final Verdict
*********************
This week, Josh takes a trip to Stockholm, Sweden to visit the headquarters of ‪@Yubico‬, the security company that makes the 2FA security keys used by almost every major tech company and government in the world. Are they trustworthy? Are the keys secure? These are the questions Josh asks as he visit.
#yubikey #onlinesecurity #cybersecuritytools

Наука

Опубликовано:

22 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 111

@AllThingsSecured 3 месяца назад

What do you think? Does seeing "behind closed doors" give you more confidence using a YubiKey? And if you don't have your own security keys, get $5 off using this link: yubi.co/all-things-secured-2024

@a1isrising 3 месяца назад

do i still need a password managet and and some othet form of 2FA too , or can i just use Yubi key for log in for email , and other sites where its accepted , im not tech savvy and get confused as to what i need for privacy and secrurity thats easy to use and impliment as i still use free gmail and i eant to switch to a paid for email for secrirty and privacy im not so much worried about goverment im more concerned about hacks , mitm and others i dont even know of lol , thanks for any info great channel i learn a lot frim you

@currentfaves65 3 месяца назад

I would be interested in using this for banking. Bank America seems to be the only banking using 2FA keys.

@AllThingsSecured 3 месяца назад

Yea, unfortunately banks have been slow to adopt the FIDO standard for security. It's coming, I hear!

@uzlonewolf 3 месяца назад

No, it does the opposite. Absolutely nothing of substance was shown, and this whole thing feels like a corporate PR piece from a corporation desperate to try and convince you their closed-source security-through-obscurity binary blob is actually good for you.

@-Oleg1 3 месяца назад

Good joke. 404 error We can't find that page. Sorry!

@asinheaven 3 месяца назад

Now if only our financial institutions would let us use them...

@SteveHowardPhotography 2 месяца назад

or Amazon Shopping too

@sarahgguwu 2 месяца назад

@@SteveHowardPhotography amazon supports passkeys which includes yubikeys

@sandcat731 2 месяца назад

Works on amazon @@SteveHowardPhotography

@Darkk6969 Месяц назад

Bank of America supports them.

@CedroCron 3 месяца назад

Thanks for going there and finding out. I appreciate it as a YubiKey user!

@AllThingsSecured 3 месяца назад

Thanks for watching and commenting!

@plproductions8887 3 месяца назад

Love the videos you’ve help so much with security and learned a lot keep it up.

@AllThingsSecured 3 месяца назад

Glad you like them!

@user-gg3wn2ic1e 3 месяца назад

A video i really wanted to watch, thanks so much

@AllThingsSecured 3 месяца назад

My pleasure! Glad you enjoyed it.

@steveshuffle 3 месяца назад

great video Josh! And you were sooo lucky with the weather for April :D

@AllThingsSecured 3 месяца назад

Ha! It was actually filmed in a different month, but the weather was fantastic.

@CharlieDawsonMusic 3 месяца назад

Well Done! I Always love your videos and this was so interesting. Thanks for all your efforts.

@AllThingsSecured 3 месяца назад

My pleasure, Charlie! Thanks for watching and commenting. 👍🏻

@user-qe3zj5jc3o 3 месяца назад

Good call. Interesting to see about this. Since I'm Swedish but living abroad I bought Yubikey.

@hhbadarin 3 месяца назад

Bought one of their keys 3 years ago, couldn't be happier!

@MysticMylesZ Месяц назад

Can't wait to get me hands on one of these products. I hope to make them as important as a phone to me and my family.

@swrenn 2 месяца назад

Question about setting up my keys. The Bitwarden extension tries to save it. When I choose hardware key, should I choose just this once or all the time? And how do i change it to once if I chose all the time?

@stephenfromfing4430 2 месяца назад

Been to Stockholm, it's a wonderful city. That ship is epic! Would love to see it during the summer (we went during the winter).

@SyberPrepper 3 месяца назад

Thank you for the video.

@AllThingsSecured 3 месяца назад

You’re welcome!

@northerngit1620northengit 3 месяца назад

Hi Josh, how would i know which accounts i have on which Yubikey? As I intend to buy 6. Cheers

@wesleyblanchette6413 Месяц назад

I knew nothing about security keys and just picked one happened to be yubico and I’ve heard nothing but good and I’m glad I trusted my gut

@Melker63 3 месяца назад

Hardware-based authorization-keys are very hard to beat. But it does require a functional and accessible USB-C port - leaving the physical phone potentially vulnerable to advanced tampering attacks. Physical USB-blockers from Smartkeeper is a possible option. Anyway, there is an argument for app-based authenticators and charging through wireless induction only - you can completely seal off the USB-C access alltogether. But that perhaps a too tough compromise to pay.

@AllThingsSecured 3 месяца назад

I’m not sure I follow. These keys also allow for NFC, which is just a tap on the phone, not plugged in, so you’re not dealing with the phone port at all.

@Melker63 3 месяца назад

@@AllThingsSecuredOK, I don't actually own and use one of these keys myself. So I misunderstood whats possible. I think I have some catch-up reading to do. 😊

@BillAnt 2 месяца назад

@@AllThingsSecured - All these security keys can be emulated in an app like "Google Authenticatior", which essentially it does the same thing, of course it's only as secure your phone. Security keys are just a purpose build device which does one thing, and one thing only. One has to chose between the convenience of an all always on phone vs. carrying a key and plug-in/tap.

@BillAnt 2 месяца назад

@@AllThingsSecured - All these security keys can be emulated in an app like "Google Authenticatior", which essentially it does the same thing, of course it's only as secure your phone.

@BillAnt 2 месяца назад

@@AllThingsSecured - Security keys are just a purpose build device which does one thing, and one thing only. One has to chose between the convenience of an all always on phone vs. carrying a key and plug-in/tap.

@SteveHowardPhotography 2 месяца назад

I love my Yubikeys but I can use your advice. How do you carry yours around so you always have one on hand? Neck lanyards are uncomfortable, and I don't always have car keys with me. I'm open to any suggestions. Thanks for ALL your videos and advice.

@justicefool3942 Месяц назад

For me personally, I didn't always have my car keys with me until I got my Yubikey and added it to my keychain. After that, I always have it with me just in case.

@SteveHowardPhotography Месяц назад

@@justicefool3942 Thanks for your input. Guess I just need to decide - lanyard or keys. Thanks for your reply

@Provocateur3 2 месяца назад

Plz consider doing a review on the Quetta browser sometime.

@mikaellundqvist 3 месяца назад

Hello. I hope your visit to Stockholm was nice. I trust the Swedish security keys because I know it’s basically the same cryptography as the new passkeys and offers the strongest possible security. What’s best about these YubiKeys is that they are separated from the Mac, iPhone or whatever you might be using to offer even stronger security for your accounts. Cheers! 👋

@AllThingsSecured 3 месяца назад

Thanks, Mikael! It was a wonderful trip.

@Mkbshg8 3 месяца назад

Cool. What happens if you lose the physical key though?

@AllThingsSecured 3 месяца назад

That’s why I have a backup. Either a second key that I store in a secure place or a backup code/phrase that I store offline.

@cjc363636 3 месяца назад

My Q as well!

@CiroMorra 3 месяца назад

@@AllThingsSecured The downside of a second key is that some services make the last hardware key entered the primary without an option to change this to a "backup key". This is not Yubico/Yubikey related but really annoying. Some software/services are really not up to speed with using amd adopting hardware keys. Using hardware keys on a Android phone / Chromebook can be a real pain sometimes e.g. when they do not use the NFC chip but expect a physical key to be inserted. Disclaimer: I also use Yubikeys but the CEO not being able to enter their workshop does not give me less or more trust in their products. There so many options to manipulate a service/product somewhere else in the supply chain.

@Anondady 3 месяца назад

Nice video just wanted to mention that the music in the video is far louder than your voice level. Thanks.

@AllThingsSecured 3 месяца назад

Thanks for the feedback. I’ll try to do better next time 👍🏻

@jeffpearson1863 4 дня назад

I heard they dont work on banking sites. Is that true?

@azclaimjumper 3 месяца назад

One of your earlier Yubico videos convinced me to buy 2 Yubico keys. Both keys have done exactly what they're supposed to on both of my macs are "Smart Card Required" & all my accounts that allow/permit 2FA with hardware keys. Sadly, banks & brokerage firms don't allow Hardware Keys to be used for 2FA. Only Bank of America & Vanguard allow Yubikeys for 2FA for their customers.

@AllThingsSecured 3 месяца назад

Yea, I don’t know why banks have been so slow to adopt a better security standard.

@Darkk6969 Месяц назад

@@AllThingsSecured Easy. IT Support. Banks don't want to spend alot of money in IT Support for their customers with 2FA issues.

@barrykandell623 17 дней назад

I was hoping all of my high risk apps used the yubikey such as banking etc

@JohnSebeny 2 месяца назад

Any recommendations for a USB adapter to go from C to A?

@AllThingsSecured 2 месяца назад

You can get a cheap one off of Amazon. Or just buy the correct YubiKey.

@Crazy_Hoon285 3 месяца назад

Hey im really scared i was trying to mod a game and downloaded a mod that everyone said was safe but the site that i got it off you had to sign up ive tried deleting the account but apparently you cant on this website

@AllThingsSecured 3 месяца назад

Sorry to hear that. Not sure how it has anything to do with 2FA keys, though.

@Crazy_Hoon285 3 месяца назад

@@AllThingsSecured I just wanted to reach out to you for some advice I'm only ney to computers

@BigGroupHug 3 месяца назад

If you're gonna be silly on the internet, create unique email accounts for every sketchy website. Are you 12?

@dennism2111 2 месяца назад

There are so many things I still don't understand about computer security. Do the Yubikey secure anything other than email? Since Microsoft requires their corporate users to use Yubikey how did Russian hackers breach Microsoft recently? It must have had nothing to do with corporate user logins.

@Darkk6969 Месяц назад

They stole the session tokens. No two factor will prevent that. It's up to the controls of those tokens.

@HaMou261 3 месяца назад

What if you lose the Key or get damaged?

@just__mike 3 месяца назад

You always need a backup key.

@AllThingsSecured 3 месяца назад

Exactly. The best thing is to have a backup key. If not that, then you need to keep another kind of backup offline.

@currentfaves65 3 месяца назад

Went to Yibico's list of companies that their key works with. NOT IN ALPHABETICAL ORDER, not even by category. They should at least break this down by category such as banking, linux, microsoft, apple, android etc. For me, secure banking, email and securing my device are the only uses of interest to me. And none of my American banks is listed. In fact, I think Bank of America is the only bank. Ultimately, not sure I want to risk this. Lose the key or the key gets corrupted and I am locked out of my bank to do what ? It does, however, sound like a great solution for a large company.

@hiddenlawyer 3 месяца назад

General advice for not just physical 2fa keys, but other critical things as well. Backups. I have 3 yubi keys, one that stays at home, one that stays at work, and one in my wallet. Once I onboard a key to an account, I also onboard the others as soon as I can. I also do not trust leaving a regular yubi key laying around, so all of my keys are the bio series which requires a fingerprint scan. Accounts that do not support more than one physical key in my mind are flawed implementations implemented by incompetent staff.

@AllThingsSecured 3 месяца назад

This isn't a Yubico problem, it's an industry problem. Banks have notoriously been slow to adopt higher 2FA standards and it's not that they don't accept YubiKeys, it's that they don't accept ANY 2FA keys at all. It's unfortunately and hopefully something that will change eventually. Locking down your email (Gmail, Outlook, Yahoo), your mobile device (Apple iOS, Android), your retirement accounts (Vanguard) and other such important accounts make this much more than just a good solution for a "large company". You don't have to use a YubiKey, but if you're not using 2FA of some kind, you're making a big mistake.

@currentfaves65 3 месяца назад

@@AllThingsSecured I appreciate your videos and for taking the time to reply ! I too really wish the banking industry would take security more seriously.

@uzlonewolf 3 месяца назад

@@AllThingsSecured Most banks do actually support hardware tokens, it's just that you must purchase their token directly from them. Wells Fargo for example will sell you a RSA SecurID token for $25.

@rjain1993 3 месяца назад

👍🏻

@AllThingsSecured 3 месяца назад

🙌

@dasmouse2557 3 месяца назад

The way I read your message, US market is served by keys manufactured in the USA. Just being paranoid for a second... why? Who else has the keys? Eventually, this is another crypto solution. Remembering Crypto AG from Zug, Switzerland. Who else has the keys?

@AllThingsSecured 3 месяца назад

I'm not sure I follow the question. How is a 2FA key related to crypto?

@NathanColmenero 3 месяца назад

2:31 That flag is spilling over into Canada lol xD

@AllThingsSecured 3 месяца назад

Ha! Sorry about that.

@PlacestobeVG 2 месяца назад

lol idk why this made me laugh

@T4505. 3 месяца назад

This dude is the whole PR team of Yubico, never seen a single RU-vid creator pump so much content for a single product.

@AllThingsSecured 3 месяца назад

I know, right?? Isn’t it just nuts how a security and privacy RU-vidr talks SO MUCH about actual security and privacy tools like password managers, encrypted email and 2FA keys all the time?! It’s just unbelievable. I mean, you’d almost think that it’d be better for somebody who wasn’t interested in actual security and privacy to just, you know…unsubscribe 🤷‍♂️

@CiroMorra 3 месяца назад

You can use any other brand of compatible key if you want, all content about why and how to use it still apply. It's all about the chip and formfactor, not the brand.

@Zermatt2024 3 месяца назад

Can’t use on smart phone = deal killer.

@iRyan230 2 месяца назад

But…you can use them with smartphones via NFC or USB-C/Lightning port.

@simev500 3 месяца назад

So a digital key within a physical fob is the improved newfangled security now. And this you add to that metal ring that holds the rest of your brass house keys in a pocket/purse in your person. Anyone see the irony here? 😜😂🤭 P.S. No putdown on new technology. It just seems an old artifact, a metal key, to open a physical lock was replaced by a digital key, the new artifact, which is now encased inside a hard plastic fob that is no different than the old artifact, the aforementioned metal key. Plus the bulk.

@AllThingsSecured 3 месяца назад

I wouldn't call it "newfangled" since the technology has been around for decades.

@Shubhrojeet 3 месяца назад

Old Days Was Secure. When You Had To Wait For Someones Letter.

@AllThingsSecured 3 месяца назад

How does that relate to 2FA security keys?

@Shubhrojeet 3 месяца назад

@@AllThingsSecured no technology no more tension about privacy security.

@danielmckinnon9627 3 месяца назад

@@Shubhrojeet In the old days in the 1970s & 80s when I was deployed overseas in the military, mail took two weeks for letters to arrive and then another two weeks for my reply letter to return to the US. Occasionally snail mail was lost so wasn’t totally secure and at one island location our mail was opened and checked prior to being issued as senior authorities were checking for porn (spouses or girlfriends sending photos) or drugs. I still live overseas and love to keep in contact with my family and friends and emails, instant messaging, and free video calls are magnitudes better. A little 2FA security of this “technology” is very simple after setup and we can send & receive instant communications in which many, including myself, like much better and still have privacy.