NEW! Strongest 2FA for Apple devices - Yubikey + iOS 

Yes!

1000% agree. All of these content creators really miss the mark when it comes to real use applications. Imagine their views and subs if they did a 5 minute video covering actual use scenarios with Google, Gmail, iCloud, windows, devices Etc. just the top 2-3 uses for each would be phenomenal content but they can’t get their head away from elementary school set up videos.

Did you ever figure it out?

@@kjhkjhlkgjklggkhk True.. did you know the answer to when will it be ever required btw? :P is it only to login to icloud/appstore?

Yubi keys don't work. This guy is just making money off of scamming them.

Did u ever get a answer here or anywhere?

That’s for FaceID. He is encouraging people here to switch away from 3FA, to 2FA(password + hardware)…

The same can be said about these FOB keys.. what if you loose them ? Unlike a phone you CAN set up to track it, how can you track a secure token ?? If you could, wouldn't that break the secure model ?? etc... There are always trade-off's. This could be the reason why these FOB's will never be global standard for all by default.. They can;t... I don't see how when you have to give users options.

@@Tech-geeky There was a tracker device for U2F Security Keys. And there are many more options out there! ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-Z92JMdPrbu0.html

I feel like TouchID or FaceID are just replacing the password: Phone AND (Password OR biometric). Also the YubiKey in this scenario ist just 2fa for the Apple ID itself, like, when you add a new device to your Apple ID. You still unlock your iPhone with PIN or biometrics. But I don't think the device itself where you logon is counted as a factor, or otherwise every login would be 2fa by default since you need a device (computer/phone) to put your login-data in. :P

​@@emerelle3535 The devices are counted because somebody stealing(ex: random website database dump where you used the same password and email) your Apple login and password, gets access to 1 authentication mechanism but now needs to obtain your phone and biometrics, to be able to login into your account.

I guess ya, you can get addition hardware which would track this stuff, why why should you need to ? If something by design promises its secure, why is it let down by "oh right, you need something else to track it" Why isn't it part of Yubikey ?? If your gonna make promise sin security, do it.. In fact, i could argue loosing something is actually the "most important" thing. as everyone has the tenancy to loose stuff .. You can't fix that problem.

That’s not the only difference. The a lost iPhone is a goldmine asset; a lost Yubikey is just a tiny bit of worthless junk.

​@@richardpetty9159yep and it's cheaper to replace and a lot more resistant to malware. plus it works on multiple devices, so you can use it on a friend's device if needed

And in comparison with modern phones, these keys are not findable

@@aliancemd worse ever.. Having said that, i refuse use to use "Find my" on Apple devices, Perhaps it's just because i value some things more than others.

I dunno... i mean not many people i know have YubiKeys... Everyone is on the internet today.. You choose. There is no comparison as the choice is crystal clear.

That’s why you must have redundancy

​@@ramonbs6075yep. that's why it's always recommended to buy two

Did u ever get a answer from this guy or somewhere else?

if you trust that you won't lose it then remove the rest, since others are actually quite insecure despite the name

It’s not true that it’s “insecure”, if you use FaceID on your queried device. You are switching from 3FA(biometrics - “what you are” being the 3rd authentication mechanism) to 2FA…

@@vrbz That's the problem right... anything extra you have, even when its smaller, the risk of loosing it, increases While SMS is not secure, you have to go to great lengths to loose a mobile phone,. One way, would probably be attaching Yubikeys to your keyring, so where ever your car keys go, they go I have regular USB keys i store important stuff on, and i only keep them in my wallet... That's way, i always know where they are... (I'm not likely to loose my wallet) yet.... But IF that ever happens, i'lll deal with that when it happens.

I enabled 2FA using Yubikeys and then launched iTunes on Windows and was able to log into my Apple account without any issues.

Apple likes to do their stuff THEIR way.. If they do have it, it would be only local. I think its the same reason Apple wouldn't apply other apps access apart from Trusted Devices they like to enforce for the same reason.. As much as secure others wanna be, Apple thinks any link (like use of third party app to authenticate), can be missused... If the app got tamped with, downloaded from a malicious source., or on iOS "jailbraked". As good as iPhones are they really don't like to give people options either. The only way they can verify, if they do it directly...

The no windows sucks

you can set a pin with yubikey manager

What’s the yubikey manager? Authentication app?

No answer?

When you first setup key they ask you to create a pin too

@@lewisdoe4137 Who’s they? Yubikey web site? Apple? Thanks

It's not going to let you enable it with older devices connected to your AppleID.

I have a feeling you have to update to log in. I tried to log an older Mac running Catalina into iCloud and it told me I’d need to update my OS!

You are actually using 3FA, if you get the code on a device with biometrics, like FaceID. He suggests switching from 3FA, to 2FA

You shouldn't be using other apps to manage secure email, like Proton.

Yes x 6. 🙂 Also, you may have systems that need a different kind of key, or you want a Nano that's always inserted in the device.

@@NoSubstitute I’ve always struggled to understand the nano, I must be missing something. If it’s plugged into a pc or laptop & said item is stolen, they have your device & the key, so what protection is it providing? Sorry if I am too stupid to see something obvious here.

@@everyhandletaken No.. you are correct, but for some people, they have decided to balance security with convenience, leaning more toward the convenience side of things. It can prove to be very difficult and maybe frustrating enough to be a zealot at this that one might abandon use of the keys if it proves to be a frustrating endeavor. I did for a time.. I simply don't live with my housekeys physically on my person all the time, especially when using a computer at home. It had become a real pain as my keys were somewhere else too many times when I needed them to authenticate into a site/service. Almost walked away from using the keys, and did for a spell and went back to TOTP on authenticator app. It was later that I decided to cure my frustration by using YubiKey neo's in my desktops at home. I understand the risks, and have had the debate with myself, but in the everyday I find having to reach for the one key.. and at this point, it isnt one key, because my desktops are older units and only have USB-A ports, and my laptops and mobile phones have USB-C for android and laptops, and lightning for my iPhone, so even then, the solution that works for the desktops wont do anything for all the other devices I have. So, the desktops get Neo's and I have a series 5 C for all the rest that I use when generally out of the house. This is the solution I arrived at that works for me, with full knowledge and acceptance of the risks. I figure if I have a home invasion where those keys are taken, I can go into the accounts where they are used and remove those keys. I'm thinking it'll be some kind of epic day if that were to actually happen. Not impossible, admittedly, but... whew.. I don't think so.. So much more sensible swag in my house to swipe other than my computer keyboards (that is where the neo's are plugged into on my desktops).

@@garolstipock I really appreciate the in-depth response, super helpful for my understanding on this. You definitely raise a very good point that I had not thought of.. I just had in my mind that the nano would be plugged directly into a USB port, but having it plugged into a hub or keyboard, in your case, makes a lot of sense. As you say, thieves probably cares about stealing a keyboard or a USB hub! Definitely going to grab a couple a couple 5 series. Thanks.

@@NoSubstitute "your in dongle heaven buddy" :)

No

It was a limited edition.

Did u get a answer? this seems to be a TERRABLE Channel for answering questions/

Yes, when you want to sign in to your Apple ID. And no, you cannot use security codes anymore.

I have the same concern. Although, you could always carry a Yubikey on a keychain, as many do, in situations where you think you might need it. (It's seems very unlikely someone would steal both your iPhone and your Yubikey at the same time). And you could always leave your Yubikey at home (or in a hotel safe when on vacation) when there's a greater risk, e.g. when going out for the night or traveling.

Don’t get why you would go from 3FA(password+findable hardware+biometrics) to 2FA, “because a guy on the internet made a video saying it, so it must be true”

some things are 'secure enough'. Give me an option to disable 2FA while understanding the risks for 'individual's" account, and i'll turn it off within 2 minutes.. Forcing people down a road... Its a travesty against nature.. This little black duck goes his own way

I get locked out as is... How secure is secure ? No one like to use multiple methods just to access their Apple account. 2 may be ok, but not 3 or 5 ... That's going overboard.. People can say their the "most secure kid on the block" but at what cost ? If you have to go through multiple layers, it's not going to be very good, when you need it most, but loose one of those. Basically, the more you have, the more you have to rely on yourself too.

@@Tech-geeky "but not 3 or 5 ... That's going overboard..". 3FA with iPhone is easier to do(just pick your phone and look at it) than 2FA with YubiKey(insert into a USB port, wait a sec and then touch it).

If you trust all the manufacturers, why not. Remember that every separate key is a door into your account. Using FaceID on the queried device is still more secure…

Yes, it is

One key for multiple accounts! One key for multiple devices! But you should always get two, so you have a backup for when you lose the other (not break, as they are basically indestructible).

Those keys can break it how to be really really really strong to do so

Good question

I'm gonna assume 'services'.... Apple locks down their devices pretty good and they won't trust anyone, but themselves.. If they doi end-to-end security without a third party app, (fear of not able to verify) why would they allow it here to just unlock your device locally? Either way, your using 3rd party product/app etc. ... to unlock a product you bought from Apple. Still be the same situation, It would be convenient.

yep, Android works both with plugging in and works with NFC

Yea, i too am wondering the same thing 🤔 lols

Based on my experience with these and other services, once you are already authenticated then you can do whatever.

@@RobbieRobski IMHO, administrative changes that are only done occasionally should require more security. I was hoping Yubikeys would plug a security hole that thieves are taking advantage of. They secretly watch someone enter the lock screen passcode while out in public.(often at a bar restaurant), and then snatch the person’s phone. Within minutes they have changed the persons, iCloud, password and disabled. Find my iPhone. They then look at the persons, keychain defined all their passwords and transfer out all their money. The person is then permanently locked out of their iCloud account, losing all their photos if they’re backed up there. In some cases, they’re also permanently locked out of all the other Apple devices like MacBooks, and Apple, can’t help them, unlock them.

@@roger1818 I understand what you mean, but it's not ubikey or any u2f key mfgs responsibility. That would fall on apple or whatever service th provider that implements u2f.

@@RobbieRobski Agreed. I wasn’t suggesting that it was Yubikey’s responsibility. I was suggesting that it would be a good tool for Apple use to plug this hole. Apple allowing users to add additional keys (after the first 2 I’ve been set up) without requiring the use of a key is a hole.

@@roger1818 You can't disable Find My or those other things such as changing passwords without also knowing the Apple ID password. So it takes more than knowing the lock screen passcode. The YubiKey is required in addition to the Apple ID password, as I understand it, so the thief would need to know the passcode, Apple ID password and also have an authenticated YubiKey before a new one could be added.

Good question. It's best to have a backup key, but I seriously don't think it's necessary if you have another backup method. For example google has 10 one use codes, or Authenticator that you could keep on an old backup phone. I think it's just laziness on Apple's behalf and they only have this method implemented. They probably think you should go full security gung-ho with two keys, because Apple products are overpriced anyway, you have the money to spare, so you can afford two yubikeys. If they DO have other methods, like Google has, well.. that's Apple for you. Btw I don't own Apple products but I work with them, that's why I watched the video. And.. I only have one yubikey.

This is actually a smart thing Apple did with this implementation. Yes, theres no technical reason why you cant just enroll a single key to your account, but to not enroll at least an additional backup key would be a very very bad idea. Having a 2-key minimum basically forces the user to not make that mistake. Unlike other 2FA mechanisms, theres no way for Apple to reset your Yubikey 2FA if you lose your key. Having an additional "backup code" method like Google does defeats the purpose of why youd want to use Yubikeys to begin with. The whole point of security keys is to minimize the possibility of having your 2FA codes phished or obtained by malware, etc. If you have a list of "backup codes" saved or printed out somewhere, they can be compromised without your knowledge. The Yubikey requires that you physically insert the key, AND that you touch the key when the site/service requests the authentication, so it's effectively malware/phish-proof.

@@melorama808 I agree it is the best, but not everyone, like me, is willing to buy two keys as I'm just trying it out for now. I think it's just patronizing. Typical Apple. And they already have other methods in place that are as insecure or worse than having only one key. So no. It straight patronizing, or laziness, or they hold yubico shares.

its more secure ..... However, convenience always seems to over-ride everything now-a-days too, so i don't blame people for not using these dongles, because its dictated (like everything), "where" you can use them, Until you force users out of the 'comfort zone' nothing will change on a mass-scale. I mean, banks here in Australia, few offer Yubikey access and excuses start to boil over very quickly. "Don't use Westpac, because they still rely on SMS" just to make the point of course. You can say the same about anything. I'm sure credit union like P&N bank don't offer this either, but i don't care. Its extra security, thankfully

Technology changes over the years so it good to keep up with it

I wish they made them in a smart card form factor that I could keep in my wallet

@@mattv5281 you keep it in your keyring, or get a nano and keep it in your device always.

Tie it to your shoelace & then you have an NFC foot 🦶

@@NoSubstitutenot a good idea! If your device is stolen along with the plugged in key then its pointless to have Security Key enabled in the first place You’d always want to have it unplugged and separated from the device incase of it being stolen

I have the 5c nfc, it's on my keychain which I generally always have with me. Not a horrible inconvenience for significantly stronger severely.

You can encrypt your iCloud can get a key for it.

@@jajuanyoung what i don't understand and i guess to me "it seems to be a flaw" in Apple's end to end. but with iCloud, why is the user asked to enter the 'same password that they use on the Mac to login" to encrypt files in iCloud?? Easy to remember, is the only reason, but if Apple heeded security, should it be a a random password each time ? And if they use encrypted data for already stored files, then it should be stored on decide to decrypt ? iOS has keychain equivalent, just like Mac. so why isn't it used for this ? Sometimes i refuse to login to iCloud on iOS, because (by design) your forced to enter your Mac''s password to encrypt files (weather you actually intend to use icloud storage or not) On the Mac you can choose to skip this part, but you still login *separately*. It should be separate but on IOS it's not. Just give me a ransom password to encrypt files, and it will work, instead of trading security for convenience.

😆 I don't wanna be like that.. Its my number #1 worse fear, but i only have my USB keys as my 'protection" If they go, so do I.

Keep a backup in another location.

Bro you say it like it was a secret, they said It on there website clearly both apple and Yubico so next time read carefully

So, you don’t require they key in order to login (or hack in) to your totp account & access the codes?

@@everyhandletaken I think you can add a pin to be able to get the TOTP private key from the yubikey. But you must consider all this 2FA stuff is really to protect yourself from REMOTE attacks... hackers. Not really for cases when your phone or keys are stolen.

@@sermarr onlykey seems to fit both criteria

@@everyhandletaken That onlykey is nice, a bit expensive, but it does have a pin keyboard. There's also a yubikey with fingerprint scanner instead of a keyboard (and a pin backup in case you cut your finger) but I think it doesn't have NFC. In all yubikeys the pin input is "via software". I don't have a yubikey yet (it's on the way) so I can't say more. I'm still researching all this stuff 😅

@@sermarr yeah, I really like the idea of the physical pin pad.. you’re right, there is the Bio Yubikey.. very expensive & no NFC, as you mentioned. At least with the Onlykey, I could still type my pin with a stick between my teeth, if my finger fell off lol ..but it has no NFC either 😒 I haven’t made a purchase yet, but I think I will just end up going with the YK 5 series.

Apple ID uses 3FA by default(password + hardware + biometrics on the receiving device), if you have FaceID enabled. He is encouraging people to switch away from the default 3FA, to 2FA(password + non-findable hardware).

@@aliancemd not everyone uses FaceID.... I still have my iPhone 6s Plus. and will continue to buy them as long as i can still get them... I don't need all the fancy crap of today... Its good technology, sure, but its a bloody phone, not a Swiss army pocket knife. If it wasn't for the fact mobile providers forcing everyone onto 4G (and up) as shutting down 3g network, i'd be still on their as well.

You can bypass faceID with the pass code. This adds another layer of security to your Apple ID.

Use the NFC version

The one with lightning is double sided with usb-c on the other end

My nfc stoped working what now

login from any device with a web browser and remove the keys