Just ran across this video... All I can say is THANK YOU! You did an amazing job at laying out what Yubikeys not only are, but the demos were off the chain! Keep up the great work sir!
Best balance between skimming over details to make it short and going way over time to make an exhaustive yet way too long video. Key points are covered. Points out of scope are stated as such. Points that have bigger implications and do need consideration at some point, are also made clear: things that make you think. Ideal balancing a critical yet confusing topic. Great vid.
We have company issued Yubikeys for over 5 years and you are exactly right about how good they are. Even though I'm a very long time user, I am so glad you made this video. I have actually been wanting to use Yubikeys for my personal accounts, but hadn't invested the time to figure out how to set it up. So I've been using the MS and Google authenticators. But I prefer the yuibikey for the same reasons you cited. I was working in Germany a couple years ago and forgot my yubikey at home and needed access to our corporate VPN. We fortunately had an office a couple hours away and I was able to get a replacement through our IT. But I wasn't sure if I could setup a couple so I'd have a backup. I also wasn't sure about how to get it to work with a phone since my company issued yubikey is the USB A style. You really answered ALL my questions. I'm going to hit your link and pick up a few.
Yes, I am replying to my own post. I just received the 2x5NFC USB A's today that I ordered. I am even more positive now than before that this is what I needed as I spent a time over the weekend looking at the key capabilties. I am buying another 2 of them. I am getting a set for my wife for her to use for her accounts. As with most people, her security awareness is limited and it is pointless to preach about it to people. You just need to provide them with something secure and simple which this really does. It also means I can authorize all 4 on joint accounts so that if something happens to me she will have access to our accounts like gmail, 401k, banking etc. I work on numerous linux systems via putty and ssh and was very pleased I can use putty-cac as well even if the PC doesn't have a SmartCard slot. I tried it out earlier today on a few systems and works great. I had looked into SmartCard as an option about a year ago as a personal security solution, and dismissed it due to not working with phone and needing a reader among other shot-comings. I do use a CAC SmartCard for work, but only have the reader on my company issued laptop. This yubikey solves so many problems. I didn't know it had so many authentication choices. However, BEWARE - You need to get at least 2 and make sure you setup the additional keys or you WILL be locked out of your account if something happens to your main key. That should be made clear to someone considering this.
I’m a tech moron.... and was filled with dread at having to update my entire online security & password collection over various macs. This video has really helped ! I think I can now master this with a bit of time. Thanks 🙏
You don't have to use the manual method to configure the same TOTP on all your YubiKeys, just switch between them while on the QR Code screen and enter the TOTP from the last key you configure to finish the respective service TOTP setup.
Now, this is neat. I never know those accounts are stored in the keys. I started using Authy last year because it can back-up my keys. But that means my secret codes are now on the cloud. I need that feature so I won't lose them whenever I reset my phone, which I do every time when it gets a major system upgrade. I don't lose my stuff easily, so having a key is better than having an app. Thank you for such an informative video.
Great video! It's worth noting that for most accounts, even if you miss typing in the code before it expires, as long as you know it, you can still enter it for some time (usually between 5 and 15 minutes). Obviously, as soon as it expires you can't see it anymore, but if you still remember it, you can still enter it.
For TOTP you can use the QR code to program multiple Yubikeys simply program one and do not put the code from the key into the site, then insert your second one and add it there two and once you've programed the last one then enter the code into the site. As an alternative for having multiple keys for TOTP you may copy the code or QR image and store it in an encrypted file using tools like GPG/OpenPGP but that is an other subject, sort of... it would have been nice to cover the PGP functions of the Yubikey as well, may be that can be a future video :).
If you do this I don't believe you'd be able to revoke them individually, i.e. in case you lost one. You'd just have to remove and re-add the one you still have.
@@ahensley on the contrary, in that case if you lose one key you can just get a new one and feed it the existing TOTP seed (the original QR code/secret code). This way you don't have to invalidate existing TOTPs and redo them all over again in both new and old keys. (If there is a chance that you lost a key to someone who also has access to your passwords then the correct thing to do is actually invalidate existing TOTPs and redo them, not reuse existing seeds)
This a great video I really enjoyed it and it was very informative. I got one of these that was left over from a project at work. To pilot for a new customers 2FA implementation, seems very kool. I'm going to try and use the PIV deployment method with local active directory and a CA to use them as a smart card.
Thank you so much, this vid is amazing. You answered every question I had about the different application types. Simply brilliant! I am so thankful for you and you sharing your time.
Nice Video, I got a yubikey a few months ago but I wasn't using it to it's full potential, this video helped me understand what are the capabilities, thanks!
Yes I bought two and they have been lying on my desk for two years as I tried to use and got all mixed up so hopefully I will be able to understand how to use (haven't listened to your clip yet).
I was constantly thinking "something in the background looks familiar, but I can't pinpoint it... Then my eye fell on the frame hanging next to your youtube reward button thing, and it clicked :D
@fuck google It's a wiring diagram for Ethernet cables www.google.com/search?q=ethernet+wiring+diagram&sxsrf=ALeKk00UdIyMZp6J_v1JjfzmBKeHK0SxRQ:1606463841336&tbm=isch&source=iu&ictx=1&fir=d3PlvGVMrC5arM%252CV-i5CBR7Nb_OJM%252C_&vet=1&usg=AI4_-kSGgTtbv7cz3tvqafq7529zknD0IA&sa=X&ved=2ahUKEwj3vO2UoKLtAhWNmKQKHeGNA50Q9QF6BAgCEFU&biw=1536&bih=722#imgrc=d3PlvGVMrC5arM
Chris, I love your videos and especially this one, I saw it maybe more than 10 times....and if you see the rest of the comments, I purchased two using your links. But l figured that yubikeys are NOT faster than any Authenticator app and let me tell you and prove you why: I spend a whole evening trying to setup my 2 yubikeys, a 5Ci that I will use as a backup (got the idea from you) and a 5C Nano for my laptop. Later on, I decide to go to bed as I had to wake up early next day. So while I’m on my bed and using my phone trying to fell asleep, I decide to check my unify network, by using the “Unifi Network” application but, it asked my for a 2 step authentication. Unifi was one of the first setups I did with Yubikey since I saw that also on your video. So the fact that I had to get up, go to the living room that I had my laptop and next to it my 5Ci yubikey, so I will put it on my phone, in order to login to Unifi Network app, make me realize that yubikeys are NOT faster than my Authy app which was still installed on my phone but without my Unifi auth, since I removed it once I install the auth on my yubikey. I never made it to my living room since it wasn’t so important to go, but definitely made me question my self why I should move from Authy app, to a yubikey. More secure? Probably....but I feel like you want a house without glass windows just for the ONE chance that burglars brake the windows and get in your house. Nobody is building a house without glass windows, right? Although the possibility is always there, that burglars can get in. I hope you understand my point! I will try to use my yubikeys since I bought them, but I don’t know how convenient they are to be honest.
I now have my two 5NFC YubiKeys "Smart-Card Enabled" on both of my Macs meaning that the only way I can log onto either computer is to physically insert the Key into a USB port & enter the PIN. Passwords no longer work. Pairing my keys to each computer was easy peasy. Getting the "Smart-Card Enabled" on my computers required the same effort Generals in WWII had in planning the D Day invasion. Apple articles are incomplete & I never did find or talk with a Senior Tech Advisor that had ever even dealt with the codes required that need to be entered in Terminal. Either Passwords or the YubiKey can be used to log into a computer if "Smart-Card Enabled" isn't enabled which seems to me to defeat the purpose of YubiKeys. Yes, I've just subscribed & rang the notification bell. Warm Regards from Reno, Nevada.
been using a yubikey for years have a few of them. it's important to note if you set everything and then loss the key your going to have a problem. So its best to have two 1 you use and one you keep in a safe place with the same sites configured on it.
I'm just under two minutes into the video, I'm hopeful that this provides an answer about what to do if you break one, because I have been known to break tiny things like a USB Key, so that has been my biggest fear about them. I mean do you have a backup key? Can you make new backups if you need to use the backup because the original broke?
Yes if I were to use them I would and you can have multiple keys. Just like backups go for 3 keys one of which is off site but in a secure place. One on you, a replacement hidden somewhere in the house and another secured off site. He is actually wrong or misunderstood when it comes to having multiple token generators: just like backups you have a sequence of secure backup keys.
You can't make a backup of a Yubikey, each Yubikey will forever remain a separate key with its own identity. What you can do is have several Yubikeys affiliated with a single account such that losing one means you can use the other. Any lost key needs to be manually removed from an account/website.
I was intently listening to you describe why I should be using a Yubikey and looking at the artwork on the wall behind you. I know I am really tired and need more sleep but I thought I'd keep watching as long as I could and then it hit me as to why that artwork looked so familiar. When you terminate enough network cables in your life that you can do it in your sleep, things like the T-568B standard just becomes like a white wall or a white ceiling. It's there but you just don't see it and yet you known it there.
Probably that it's faster than using authenticator apps on your smartphone. Also that he showed him how to use it since he was unaware of how they worked
I may be overly concerned about hackers, but personally I would not go with anything that is wireless when security is concerned. Wireless just provides one extra weak link in the chain. When using radio technology, i.e.: "NFC" I do suggest making yourself aware of the exact radius of that particular radio transmission.
Thank you for explaining. I Just ordered a yubikey 5 nano yesterday. Unfortunately I only found your video today or I would have bought through your link.
The only problem I have found with my YubiKey 5 NFC is that not all companies have changed their 2FA to use hardware Authorization... I wish YubiCo would update owners when they add new partners. Otherwise I love YubiKeys. They are about to come out with a Fingerprint YubiKey.
Thank you for that great product advertising. But I'm missing one topic completely: PGP transfered keys to the YubiKey: a) Usage in general b) What if you loose the YubiKey with the transferred private PGP key part? Just use the key backup that you hopefully did before transferring it? c) How do you revoke already published PGP keys from an lost YubiKey on the corresponding (public) PGP key servers? I'm currently struggling a bit with that YubiKey 5 NFC variant to use it with my PGP in order to sign or encrypt my mails on desktop client or on android client using the NFC interface...
As always, thank you for your in-depth videos! I have learned so much. One way to explain 2FA is that it is a subset of the term Strong Authentication. Strong auth works on the triad of, something you are, something you have, and something you know. Any two of those used together is strong auth, a.k.a. 2FA.
Thank you for your post. Can you explain to me the triad of “some thing you are“? I’m not sure what you mean by that. I understand the other two elements, something you having something you know.
Had one laying on my desk, after some testing some months ago. Did a second round after your video.... Now I am going to purchase a new keyboard and a second key.
You mentioned “losing” one of your Yubikeys. What’s the best practice for moving forward if you believe it to be truly lost or stolen? That would make a good video.
It depends on the account you lost. He briefly mentioned backup codes, I've seen that several times now that you get backup codes when you set up 2FA. Save those codes, and do not lose them. If you do, there may be no way back. I lost my Steam Authenticator, and had to contact support to get it straightened out. 2FA kind of worries me for that reason. Same problem with one time use texts, if you lose your number or your phone.
Get two yubikeys and lock one of them up in a safe place, many sites will let you register multiple MFA devices. So if you lose one you can log in with the other key, delete the lost one and register the replacement. On sites that do not allow that they will have some sort of backup code or method. Put that info in a safe place.
Simply buy ledger Nano s or Trezor T which only unlock after entering pin on the device. You only need to keep a 24 or 12 words backup if you lose your device, just buy another. They both offer Fido 2.
I'd love an answer to that too. How do you invalidate a Yubikey if it is lost or stolen, to stop it from being used maliciously, or is the only way to manually remove it from all your accounts? Is there no way to say "I no longer have this key, remove all the accounts from it"?
@@Anaerin Exactly - seems like you'd have to keep a list of everywhere it was registered and then go chasing them down manually. I know I won't do that (keep an up to date list)
Thank you, this took me over the top, I ordered Yubikeys (from your link, of course) for the family. One question remains. What happens with the lost backup Yubikey? Do you have to reset all the logins?
Regarding Tile, they work via bluetooth not GPS, so they will only give their location if they are near your phone (or near someone else's phone with the tile app). It works well for if you can't find your keys in your house or to check they're in a bag, much less useful for tracking a stolen bike.
I wish they had a screen for totp, with out having to plug in the device into a machine for those areas that we can’t install software nor plug usb into them
I absolutely love my YubiKey. The only downfall is the lack of support on many sites and web apps on the u2f protocol. I have tried many times to push these hardware keys on UniFi, Synology or others. But they rarely respond on the request, due to lack of the user base usage. The more people keep asking for these requests. The faster it will be taken into consideration.
It’s a chicken or egg situation. No one wants to spend money on a piece of expensive junk that isn’t useful on more than a handful of sites that virtually no one uses. But no sites want to spend the resources to support Yubikey until more people buy them.
Hi, I just purchased the Yubikey 5 NFC. I have windows 10 home version and currently login with a pIn number. Is there an additional advantage to use Yubikey instead of logging in with the PIN for Windows 10? Will it be more secure if you do both? If yes, how do you implement that feature. Thanks.
I have some old Yubikey 4 as well as old Feitian and Titan keys when I turned on advanced protection on Google. But seeing your demonstration of the YubiKey authenticator, I've now purchased five of the YubiKey 5 FIPS keys and am excited to try them out. Something interestingly different is that the secrets are now (since YubiKey 5) are stored directly on the key instead of on your application. This will make it easier to use secrets from different devices without trusting a cloud service like Authy to keep the private keys on their servers.
Actually, many phones already have something like that build into it. So when your phone is unlocked, you can use it to log into systems. Both Android (since 7.x) and Apple. Apple and Windows laptops supposedly also support it. In Windows it's part of Windows Hello. In all cases I think they need to have a chip build in. Also Krypt Krypton might be an option.
This is a most helpful video as I've been wondering how these work for some time. However, I am blind and use screen reading software and refreshable Braille. Would teh Ubico authenticator app be usable by me?
It would be nice to see them integrate biometric authentication into it (an advantage of the smartphone) would also be nice if soft token MFAs got more into MFA push notifications for wearable devices. (Giving you the same one touch MFA experience as the ubikey).
I love using my Yubikeys and now they've brought out a model with a fingerprint reader, so... *TRIPLE* Factor for the win! Something you know, something you have, something you are!
I got one 5 NFC for 3/4 of a year now. Ordered it to do smartcard login to windows AD. To see that it can do soo much more is really intriguing! You said we can ask questions? Perfect! I just have a problem with the smartcard variant when try to use it against windows AD to a rdp server behind an RDP gateway. It just does not work, and I could not fix it. May you help me out with that case?
Google Authenticator now lets you log in and migrate devices, I believe. Edit: it requires the old device, but you can scan a QR code from the old device using the new device to migrate to the new device.
If you're lucky the old device hasn't suffered a hardware failure,fire,water damage,theft etc I had a charging port go on my Android phone and only realized by the end of the day that the thing wouldn't take a charge and had to literally make haste to get another old spare phone setup and migrate via QR . If I didn't notice it earlier I woulda been hosed pretty badly as I've got Google 2FA on pretty much everything.
All MFA apps allow you to migrate your accounts. All you need to know is backup/recovery codes that you were provided with the first time you signed in to the MFA app.
Best Yubikey video ever. I learned about this from a podcast but they just flew over the topic so fast I couldn't tell what to do with the damn thing; only that it was 2fa. Now I have a reason to buy a few to use for more security. I don't like using my phone for 2fa because I don't really trust the phone's os.
The problem I had with my Yubikey 4 was that google, facebook and twittter wouldn't allow you to enable it without giving them your phone number. The whole reason I got it was to avoid as many third parties getting involved and giving them something else by which to track me. Do you know if these issues have been fixed?
Hmm... Doesn't leaving the key plugged into your PC with the app running kind of defeat the object? Not unlike leaving your password on a post-it note under your keyboard really :-0
It would still need to be tapped by your fingers to activate… but yes, this has crossed my mind as well. For that I personally would steer clear of the “leave-in” ones… though i think the concerns are irrational for most security threats.
In fact no, and thats why things like the trusted platform module and ssh keys exist, its just a second factor so if somebody wanted to hack your account they need your password too, or the other way around if they have your password they would need to hack the pc too to get the login done, but the yubikey requires button confirmation before login so thats fixed too
Hi Chris. Great video. Thanks! I will sure go to your link and buy a key. I do need a backup, as you said it is smart to have one. If someone buys a backup, does it have to be the same exact as the original? Or will a 5C NFC work well with a 5 NFC? Thanks!
Awesome video...one other question I have is how is the durability of these keys. I notice you have them on a Keychain with is usually thrown about casually.
Great video, but I'm not convinced it's better for personal use, you really can't beat something like 1password's cmd+/ (mac) or ctrl+/ (windows) key combo which fills your username, password, and when using OTP, the 2FA code when prompted. One and done. Also integrates into Safari and Chrome for iOS or Android. Truly a one-stop password app. Not to mention, it's stored in an encrypted vault, so it's shared between ALL your devices. Lastly, no limit on the number of sites you can use 2FA on. Yubikey seems good for large-scale 2FA implementations, but not for personal use... IMO
I think a middleground is perfect. Use yubikey for 1password and let 1password handle all other 2fa. I just googled and think it should work. You'd have the best of both worlds imo.
I think Chris got this wrong in his video. I'm not an expert on this, but I spent some time researching this because I wanted to know the technical details. If you're looking to replace authenticator apps that generate TOTP codes, a Yubikey or similar device can actually be used for an unlimited number of services. The 25 slot limit is for "Resident Keys" which are used for entirely password-less authentication schemes.
"I had a half-dozen yubikeys on my desk that I never used until Yubico contacted me to join their affiliate program, but the affiliate program had no influence on my endorsement of their product."
Looks like Yubidoobie is pumping loads of cash in influencing YT influencers. It’s Yubikey! wherever you go. Check out Rob Braxman for some real security tech.
Can you advise me what I am doing wrong as my new yubiky is not registering when I insert in my iPhone. Also it’s it asks me to tap on the back of my phone but my yubi doesn’t have NFC which I realised is a downside but it should show up at least when I insert in my phone right? Thanks in advance
Gotta love RU-vid recommendation: Up next: Breaking FIDO: Are Exploits in There? From Black Hat In all honesty I'm still slightly skeptical. I personally still only use passwords, and don't login on computers that I don't own/control. if I'm ever out and going and need to login to my bank or something like that I just use no-machine to connect back to my server at home and login thought that. I'm still not sure how trustworthy a for profit authentication company can be, when you have major player like google joining on the standards. I don't think there's a major security issue, I just don't think it's mature enough, on one side Google is fucked up, on the other Google (and other major players) have too much to lose if they start loosing reputation, so I don't think they would mess with authentication, but who's to say Yubikey can be trusted to not fuck up their protocol and chips being fundamentally flawed. The issue I have with all those passwords and double, triple checking of identity is that at the end they tend to try and make it easier to actually authenticate, and people end up using a 4 digit pin set to 0000, 1111, 1234 because some company made their old password insecure by forcing them to change it, make it too complicated, and have a trillion different login portals.
Looks very interestign.. Just a question: let's say I need to access my NAS at home from a remote location (friends home for example). Does the Yubikey require software to be installed on the computer used to remotely access my NAS? (On the computer of my friend where I might be) Or is it 'plug & play'?
Whatever you are authenticating to must support some form of 2nd factor to work with a Yubikey. If your NAS supports a 2nd factor chances are it can work with a Yubikey. Yubikey has various models with differing capabilities but they have models that support some to all of the following types of MFA: HOTP, TOTP, U2F, FIDO, FIDO2 and PIV. Some, but not all, of those methods do require software on the computer using the key.
I apologize if I'm repeating a question, but I noticed that there are different security standards listed (NFC and FIPS). I was wondering if the FIPS security yubikeys work just like the NFC youbikeys? I'm asking because I'd like to know if the different security standards are cross-compatible; whether the FIPS standard is a more robust standard and if it's beneficial for standard web authentication. I guess I'm worried that if I get a yubikey with FIPS, I'll not have the versatility & ease of use like the NFC yubikeys.
so what program do i download to be able to use the yubikey codes on desktop, but not to sign into windows, a while back i installed the "yubikey for windows" program thinking it was just the version of the software for windows, but next time i turned on my computer it wanted a yubikey code... which i didn't have, had to restart/factory wipe the PC;
Excellent video ; I have an old one, time for an upgrade methinks. Also, I think some insight as to how this might work in an enterprise environment. Will it save sys admins time as well. I keep hearing about Google's Titan key effort but I wonder how a REAL business might function with a YubiKey implementation. Are there labour economics to warrant?
Good point about the company use case but there is a bit issue with that. Many companies, due to security reasons, disable USB ports on the devices so only keyboard/mouse will work and device charging. I wonder if 2FA device that is supposed to be plugged into USB will work as intended when this restriction is applied?
Hi Chris, Thanks for your Video!. I Have one question: In the case that I am having some shared desktop how does the Yubikey help me in invalidating the session once each operator disconnects his/her yubikey from the USB interface. The scenario is that sometimes the operators (that are using the same desktop) do not do logout. Is there any way to force login when a new Yubikey is connected and prompts for a new login?
