Yubico Authenticator vs Google Auth vs Twilio Authy - BEST 2FA App in 2024
ฝัง
- เผยแพร่เมื่อ 25 ส.ค. 2024
- Get $5 a Yubikey 5 NFC: www.yubi.co/sh...
Get a Yubikey and protect your accounts! amzn.to/3S8BSLL *
This episode is sponsored by Yubico!
Watch my Passkey episodes here! - • All About Passkeys
play.google.co...
play.google.co...
play.google.co...
Becoming a Morse Code Member by checking out the perks linked here!:
/ @shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUBSCRIBE! 🌸 www.youtube.com...
TWITTER 🌸 / snubs
Patreon 🌸 / shannonmorse
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
SUPPORT MY WORK
Patreon 💛 / shannonmorse
Buy Me a Coffee 💛 www.buymeacoff...
Shop 💛 snubsie.com/shop
TeeSpring 💛 teespring.com/...
Coupon Codes 💛 snubsie.com/su...
Tech I Use & Recommend 💛 kit.co/Shannon...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
FOLLOW THE SOCIALS THINGS
Twitter 🌸 / snubs
Instagram 🌸 / snubs
TH-cam 🌸 www.youtube.com...
Website 🌸 www.shannonrmor...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
TECH I USE AND RECOMMEND
My Kits, Builds, and Must Haves ✨ kit.co/Shannon...
My Amazon Influencer Page ✨ www.amazon.com...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
MY OTHER SHOWS
ThreatWire 🌙 www.youtube.com...
Sailor Snubs 🌙 www.youtube.co...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
GET IN TOUCH
Mail ✈
snubsie.com/co...
Email for Business and Sponsorship Inquiries ✈ Shannon@ShannonRMorse.com
My Media Kit ✈ snubsie.com/wo...
Sponsor This Channel ✈ snubsie.com/sh...
Music from 🎵 Epidemic Sound: www.epidemicso...
💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜💜
😍 FTC DISCLAIMER 😍
Affiliate links listed above allow me to receive a small commission. Any sponsorships for videos are noted in video and listed in descriptions. Any products provided as gifts are listed above. Thank you for your support!
Comment section code of conduct policy:
Constructive feedback is appreciated, but please leave unproductive, divisive and harmful conversation at the door. Hateful comments are not tolerated, and these kinds of messages will be automatically removed. Thank you for making this community a welcoming experience for all viewers :)
snubsie.com/co...
I've heard that Aegis and 2FAS are good choices.
I wish she would have included Aegis.
Raivo OTP is also great and open source
I used Aegis in the past but that unfortunately is tied to android phones only. I ordered a yubikey 5 nfc to be independent by authenticator apps
I use 2FSA. I'm happy with it.
Aegis is amazing
Way to go Shannon! I've been waiting for a showdown with 2FA authenticator's INCLUDING the Yubico authenticator. I use Authy for my home tablet and Yubico for my phone for better security when I'm on the go. I do think you might have mentioned that Yubico authenticator only works with version 5 Yubikey. Love the Yubico authenticator for PURE SECURITY on my phone
Enjoy all your videos!
Much health in the new year.
Anthony
Shannon, I worry about any discussion of digital security that doesn't address open source.
Please don't ignore this elephant in the room.
I choose Authy for convenience with multi-device abilities. Too risky for me to not have a backup in case my phone breaks, gets lost, etc. I think using any 2FA app at all is more/better than your average person does anyway.
google authenticator uses an unencrypted HTTP connection, Google said they'd fix it months ago but have yet to do so. Google Authenticator is also closed source, and unlike alternatives, does not let you retrieve keys to use with a separate authenticator.
Google Authentificator is just bad …
So I can't use a Yubi with google Authenticator?
@@rainerrain9689 correct
@@JAM35_ Well that's not good ,so now I have to find a video on how to transfer all my accounts to Authy which does,am I correct ?
@@rainerrain9689 are you using google authenticator now? If so, you'll have to generate all new keys for everything, because google won't let you switch from google authenticator.
I love the yubico authenticator but it doesn't hold all my keys. It's has such a low limit.
I like Authy for its end-to-end encrypted cloud backups and syncing, using a separate password specifically for said encryption. I can have Authy on any computer or mobile device I want and it'll sync my secrets between all devices. I also appreciate how it has its own PIN lock and doesn't just rely on the device's Lock Screen code, even if you use biometrics it doesn't fall back on the Lock Screen code. Anyone who might happen to have my Lock Screen code can't then get into Authy and get my 2FA codes.
I agree. Authy has a reasonable set of additional safeguards which makes its cloud function more secure. That’s why I chose it as well.
I was in the same place til I moved to a password app that incorporates an OTP generator and passkey functionality. There's argument to be made for separating the password and MFA - but then, i protect my password app with my Yubi ;)
@@The_Nixie I'm not sure I can trust myself to not lose a YubiKey, so if I get one it'll just be for convenience at my pc, and I'll still have my Authenticator app set up as well.
Also if you lose your passwords you also lose all your 2FA at the same time if you have them together. I always have my backup codes and 2FA separate, and if I ever move over to a password manager, I'll have that separate too. Way less hassle if I have to undergo mass account recovery.
With Passkeys, I'm waiting until Apple implements Stolen Device Protection before setting up any passkeys so that anyone who has my device passcode, e.g. a family member, can't just use my device passcode to access my accounts.
@@Damariobros all true. I generally have multiple yubis + an auth app (for occasions when I don't have Yubi handy) - but no matter how you do it, your comment exemplifies why there should *always be more than one key to any lock. :)
They are sunsetting the desktop app in a few days. Major disadvantage. No idea why are they are doing that. Very inconvenient.
Learn a lot about Yubico from watching your videos. You still remain one of the best. Thank you Shannon! Happy New Year!!!
Why did you not include Bitwarden or Microsoft Authenticator? Are these not some of the highest market share authenticators?
Doesn’t mean the are the best… or even good
@@MaxMustermann-vy7ur Agreed.
Great question, but I notice there seems to be very little to almost zero Microsoft related content in any of the videos for some reason.
Microsoft, lol.
quick tip: if you're storing your passwords in bitwarden, avoid storing your 2fa codes there too, especially for important accounts. you do gain security if the password itself is compromised, but if your bitwarden vault is compromised (eg by someone using your computer while the extension is unlocked), so are *any and all* of your accounts at that point. by keeping your 2fa codes separate from your passwords, you reduce risk of either one being compromised, even if it's a little less convenient at login time.
I would always suggest keeping them on your phone, protected by biometrics and a different PIN/password (if someone tries to add their face to face id on an iphone using your unlock PIN, the 2fa app will then reject biometrics require its own to be used again - so that's still safe behind biometrics)
2FAS is a great open source TOTP app
What app is that in the iOS App Store can’t find it
I searched “2FAS” in the IoS App Store and it came up as the second choice (1st non sponsored) labeled “2FA Authenticator (2FAS)”
@@audywavy "2FA Authenticator"
Been using Yubico Authenticator for years. Love it and feel secure vs Google and Authy. 👍
Raivo OTP,2FAS?
The promo code is not working! neither is the link above it.
Edited to correct some info on the OAuth vuln, but also, to say, great video as always, Shannon!
And to preface the following, I personally do like my yubikeys, I'm just exceedingly sparing in where and how I use them.
Now...
Something's been bugging me about 2fa with security keys and passkeys:
Technically, if you don't need to input a password or OTP, these are NOT 2fa, and the security is still weak. Especially with the recent research reports of reviving dead OAuth session cookies. its important that everyone make sure not to disable passwords if optional when using a yubikey or other security key or passkey. And if password usage does not persist, its just 1FA. 😢
@xileets Doesn't the cookie (stored on the device) count as one of the authenticators? So long as the same device doesn't also have the authenticator app too then any attacker would need two of your devices to breach the website.
How do you figure that passkeys are not 2FA? They satisfy something you have (first factor) and either a biometric (second factor) or a PIN or password (second factor).
@@Dobbo314 Correct, however, in some cases you can disable this requirement. And then there are relevant cookie vulns. There's a relevant CVE... Ill find and post below.
@@MaxPower-11 my first response was overly complicated. Yes, you are correct, if there is a second factor required. But some implementations allow just the use of a security key with nothing else, and that is not satisfactory on it's own, as some keys contain a single factor: something you have.
I tried the code at checkout and its not valid
Coupon code does not work for purchasing Yubico😢
I use Authy, I had Yubikeys but lost one, broke one etc, that's why I don't use them any more. I would be forever looking for my Yubikey whereas Authy is on Ipad, Iphone, Android ohone and desktop, lot's of backup.
I have two Yubikeys. One lives on my key ring (with my car key) so it is always in my presence, the other on a lanyard that hangs near my workstation. I think you are doing something wrong if both your keys are not readily accessible. By doing this I consider the chance of losing both keys is as close to zero as i can reasonably make it.
Yes, I think I will get some and try again because they are the best solurion, maybe get three!@@Dobbo314
Great coverage as always. Thank you.
And feel better soon.
If you're using standard Android then Google already has all the stuff the app collects. I just wish it was more clear on backups. I accidentally turned that function on then had to turn it off again. I was a bit annoyed because I don't want that feature. I'm perfectly fine manually updating my backup devices.
tbh for 2FA i don't see why a yubikey makes sense .. anyone can just tap their phone and have my 2FA keys WITH my email .. compared to my phone where i have face unlock and am less likely to lose it compared to an extra device like a yubikey
Find you a friend who is dedicated to you how Shannon is dedicated to security 😂
The safest password in existence "chicken"
How Shannon is dedicated to ubikey.
What about the vivokey apex? I just got one placed into my forearm right above my wrist. Now I don’t have to worry about losing my yubikey
It's good to see some comparison of 2FA apps. But I have to say that the list of apps is far from comprehensive. Okta, Microsoft should be included as they are often used at workplaces
Twilio drops Authy Desktop app. Too bad that news didn't come out before Shannon made the video.
Watching this made me feel even better for buying my wife and I Yubikeys.
I can't imagine taking a physical 2fa key with me everywhere I go. Just doesn't make sense.
Keys? Wallet? ID? A dinky key fits in my wallet no problem. But also cookies keep your phone logged in. Do you have to use 2FA every time you open an app on your phone? Probably not - if anything biometrics allow you to open your secure apps. You're not using a hardware key every day - you use it for your new devices and anything with public access.
I know they're not necessarily secure, but for things like chromecast devices would i need to use the yubico authenticator app for Google instead of the normal security key option so I could sign in on there?
why does Authy keep blocking all tokens ? even if I enter the backup password, it says it's not good even if it's good because I still have the application on another device where it works perfectly
Great video! Next time type in "subscribe" instead of "chicken" as your sample password ;)
If it has the option for cloud avoid.
The affiliate link for $5 off a yubikey is invalid!
I noticed that too!
Do any of these work on the iphone. would it work on linux with Yubikey and windoews 11?
I assume that you recommend your Authenticator app be separate from your password manager app?
Do you have one of these videos on apples keychain
Bitwarden
4:00 the app actually is like acting as a viewer for your yubikey hardware where you can view the stored 2fa/mfa. no need for syncing because you already have it in the palm of your hands, imagine it if it has a screen/display you will not be needing the app anymore.
Missing keepass databases 😊 use a separate file only for 2fa
Link does not work.
Did you consider privacyIDEA? It's my personal fav.
Open Source, all important token types are supported and all data remains in your hands. Basically, you yan create your own 2FA server without being dependent on others.
Great video. I'm trying to transfer my accounts from Twilio Authy to Google Authenticator.
I just find the google auth app is very easy. I'm thinking that carrying around a youbikey would just be a way to possibly lose it and not be able to log into sites. I don't let google back up my codes fyi. Thanks for all your work on security, it's very helpful.
💊 Get well soon and Happy New year Sailor Moon Shannon! 🌙
Hello Shannon! This was very informative. I have a query I’m hoping you can answer: How many accounts can I keep a record of on a single Yubikey 5C NFC USB C variant?
Depends on the protocol. I haven't hit the limits but here they are from a quick Google search: There are limitations with the YubiKey in terms of supported accounts. It can store up to 25 FIDO2 credentials for password-free logins, two OTP credentials, 32 OATH credentials for one-time passwords (when paired with the Yubico Authenticator), and an unlimited number of U2F credentials.
@@ShannonMorse thank you so much for replying. I ordered my first pair just yesterday! Your video helped.
Thanks for sharing. Blessings on your day!
what do you think about Ente?
Hi Shannon, Can I buy 2 same YubiKey 5C NFC with USB-C or do I have to buy 2 difference kind Yubikey like USB-C and USB-A is that matter ? Please advise. Thank you!
Do you think it's risky for me to be using the authenticator from my password manager?
It can be, yes. I used to keep many of my TOTP keys, recovery keys, and stuff like that in my password manager, but since migrated them to Standard Notes. By separating them, an attacker now has to compromise both my password manager and SN in order to fully compromise my accounts.
I hope that's a useful and satisfying answer to your question!
is it just me or is the audio left side biased hmmmm had to turn off surround sound for this video
Which is best??
Nice work Shannon 👍
Love my Yubikeys and their Authenticator. Wondering how to introduce my kids (preteens) to it on their devices, though? Is there a kid-friendly learning curve Yubikey you'd recommend, Shannon?
Surely the issue here is to get them to "care" about security. I remember, when she was about 14 (she doesn't remember now she is 25) that my niece came to me asking bout Net Nutrality. She got why Net Neutrality was a good thing -what she didn't grok was why commercialism would want things differently.
I'm using Yubikey authentication and Aegis authenticator. Also looked down my windows, pop_OS!, Kali Linux with my 2 Yubikeys.
Love your style and videos and all for Yubikeys
Am I correct that if I loose my YubiKey and did not password protect the key then anyone who finds the Yubikey can install the Yubico Authenticator app and view the accounts stored on the key? I bought two keys (YbiKey 5 NFC) and trying to get my head wrapped around how to properly use them before I actually use them. I have the app installed on my iPhone and both keys open the app and that got me thinking something is wrong, where's the security. Nowhere have I heard anyone say to put a password on the YubiKey and I don't see anyway to add or remove keys from the Authenticator App - Still confused.
it is very frustrating that authy windows is End of life. So Stupid
I like 2fas
Raivo OTP?
@@MaxMustermann-vy7ur ravio is cool but they did get bought out here recently
I mean does it matter ? If it's not Fido2 then it all can have cookie sessions or tokens captured with a phishing link.
Can I attach yubico to my boarded insistence?
I got the tiniest Yubikey because it looked so cool and inconspicuous pushed into the side of my MacBook but it seems I can't use it because the part that sticks out is so tiny that nothing happens when I try to touch it, so I also bought the flat one the sticks out further but it seems to jiggle around and get knocked askew when I press on it. Any advice would be appreciated. I'm past the return period. I want to make these work since they seem to be the best solution, although I am surprised to not find most financial sites on the list which is the main thing most people want to connect.. Any suggestions?
Is there a limit on how many codes can be stored with yubikeys?
They hold a maximum of 32 codes
Fantastic, so if I more website with 2FA I would need more keys. This is a bit sad.
@@zhiqiangzhou540they will increase limit for yubikey 6
As of March 2024, the Twilio Authy Desktop application will no longer be supported, which means the application will no longer receive updates, bug fixes, or security patches. Users of this application will need to switch to other supported authentication methods to ensure the security and safety of their data.
How does that protect me frm somebody trying to swap my sim card ?
More like hoarse code….? Ehhh ehhh?
All bad shit jokes aside, get well soon. I just had pneumonia gifted to me by my coworkers and almost died. Not an awesome way to spend Christmas.
You rock and get your rest lady!!!
Aegis vs Ybico
i new well before the end yubico would be the winner cos they sponsored this video , but good vid
My Google Authenticator is protected by FaceId.
Google Authenticator is bad
Didn't Twilio have a data breach ??
Would using the Yubico app have the same level of security as using the key directly as 2FA and not to generate TOTPs?
Uhhh I'm not sure I understand your question. The app requires you to unlock it via a yubikey. When using the yubikey on its own as MFA on websites, it depends on what protocol the websites is using (FIDO U2F, TOTP, etc etc). Time based codes are never gonna be as secure as FIDO U2F since codes can be stolen.
@@ShannonMorse using the YubiCo app the codes are generated only if the hardware key is brought close. If I don't have the hardware key I can't do anything. Similarly, if I set the hardware key directly on my account, Google for example, as a 2FA system, no one will be able to enter unless they insert it or bring it closer to the device being authenticated. In both scenarios, security is linked to the hardware key. I hope it was clearer. thanks for the previous reply ☺️
Don't use the ones from google or microsoft, if you do....just don't use anything already
Yeah these two are just bad
Using bitwarden. Is it a bad practice to use the authenticator thats built in to it? Putting all my eggs jnto same basket? I do use yubikeys btw
@iSucrose asked a similar question above and I gave what I hope was a good answer to it. At the end of the day, it depends on your risk tolerance and threat model. I know that's a common thing for security people to say, but it really is true. 🙂
It comes down to what you're trying to protect, and from who. I.E, as @ThatNateGuy states, your risk model. TOTP with Bitwarden is very convenient. But some would argue that putting both your passwords and your TOTP's in a single app and single device defeats the purpose of 2FA. If a bad actor can gain access to your Bitwarden account they get both credentials. But even just using a password manager and an authenticator on the same phone increases your risk if someone steals or impounds (think a law enforcement or border control agency) the device.
It doesn't have to be an all-or-nothing decision. I use my password manager for TOTP on low- and medium-risk sites, and a separate authenticator for high-risk sites.
@mrkmdz But if you use a Yubikey (or two) to protect your BitWarden vault then doesn't that mitigate the risk? This is what I do. I like the fact that to add my BW vault to a new device requires one of my Yubikeys. And to gain access to BW requires the pass phrase or a biometric scan, so there are always two factors needed.
@@Dobbo314 In general, yes. You need your BW passphrase + Yubikey to authorize a new device to access your BW vault. Then you need possession and control of your phone + biometric identifier + a memorized secret (either the BW passphrase or PIN) to unlock the phone and open the BW vault. Both of these processes are protected by at least two strong (AAL2) factors.
It's 2024, and I still love Shannon's nails
But what is up with her hair?!? There is only one tint in it!
I'm only posting this because I can remember a post where she bemoans derogatory comments about her tints. What drew me to this channel was her approach to the topics she covers. I like the way she thinks; it aligns mostly with my own; and where we differ makes me reassess my own thinking. I'm not saying that I always agree with her - but her presentations allow me asses my own constructively.
Is that your natural hair color?
Is it possible to export my Google Authenticator Codes to my Yubico?
No, you'd have to re authenticate your yubico on the websites you originally sent up 2fa on. You'll need that QR code again
Get away from Google!
Happy Happy 🎉🎊🎇
Good Work Shannon. Love from India
I wonder how soon it will be before we need authentication apps to access the authentication app. I wonder how soon off retina scans will be or every device has a DNA sequencer built in to verify identity?
Like the Enterprise D in the background.
2FAS ftw
Thanks for my $5 off on both my Yubico Keys
Woohoo!
❤🎉