How Security Keys work (2FA explained!)
ฝัง
- เผยแพร่เมื่อ 31 พ.ค. 2024
- Out now NBTV’s new Ebook - Beginner’s Introduction to Privacy - available at:
amzn.to/3hCGEmk
For most people, a weak password is all that’s standing between your digital life and a hacker, and if that password is ever cracked, or leaked, you’re in big trouble.
Security keys are one of the best ways to protect your accounts. They’re incredibly convenient, easy to use, and provide the best kind of multi-factor authentication. In this video we’re going to explain how security keys work, and show you how to choose one that’s right for you.
We dive specifically into Yubico "Yubikeys" and other products in this video, and will look at open source alternatives in future videos!
00:00 Intro
00:33 2FA and Multifactor Authentication
03:13 TOTP and Authenticator Apps
05:38 What is a Security Key
09:03 How To Use a Security Key
10:18 Understanding Security Key 2FA
12:04 Security Key Models
15:18 Important Tips
17:04 If Security Keys Are Not Accepted
18:10 Outro
More and more websites support security key 2fa. If you want the best chance of fighting off phishing attacks, you absolutely need one of these protecting your accounts.
Brought to you by NBTV members: Lee Rennie, Reuben Yap, Sam Ettaro, Will Sandoval, and Naomi Brockwell.
To support NBTV, visit www.nbtv.media/support
(tax-deductible in the US)
Sign up for the free CryptoBeat newsletter here:
cryptobeat.substack.com/
Beware of scammers, I will never give you a phone number or reach out to you with investment advice. I do not give investment advice.
Visit the NBTV website:
nbtv.media
Watch this video on Odysee!
open.lbry.com/@NaomiBrockwell...
________________________________________________________________________
Here are a bunch of products I like and use. Using these links helps support the channel and future videos!
Recommended Books:
Permanent Record - Edward Snowden
amzn.to/305negc
No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State - Glenn Greenwald
amzn.to/2UQmJ4m
What has the government done to our money - Rothbard
amzn.to/2KMzmcu
Extreme Privacy - Michael Bazzel (The best privacy book I've ever read)
amzn.to/3BLZ1gq
Naomi's Privacy Bag: some of my favorite products to help protect your privacy!
Use the Brave browser! brave.com/nao076
USB-C to ethernet adapter:
amzn.to/2lOVBoy
Faraday bag (signal stopping, to protect your fob, credit card, computer, and phone)
amzn.to/3DjIvCP
Data Blocker (if you're charging your phone in an unknown port, use this so that no data is transferred)
amzn.to/2SVh0J2
Computer privacy screen (use your computer in public? Keep your information safe! Choose the size right for your computer)
amzn.to/3F816Sn
Phone privacy screen (don't let people in public see your private data, choose the size for your phone)
amzn.to/3wNtYwb
Camera cover (for computers and phones, so no one can access your camera without you knowing)
amzn.to/2Mt7Hic
Privacy Tip: Turn off your wifi and bluetooth when you're not using them!!! - วิทยาศาสตร์และเทคโนโลยี
I'm glad you focused on just one product. I'm "technologically challenged" and information overload is a real problem for me.
Great content as always Naomi.
It's a fantastic service you are providing explaining how to secure our online transactions & keep our information safe.
Please keep up the great work you do 😊
Greg
Public key security is awesome. Phil Zimmermann and others changed the world. God bless them. God bless you and your team, Naomi. You bring good knowledge to many seekers. Thank you.
Agreed, public key cryptography is amazing. Phil Zimmerman is a hero.
That's only one thing I can say about this video, AMAZING, I have never thought about security on that way, it's shocking when you realize that you're unprotected
I appreciate this video about security keys, you made it seem very simple. I think I am finally convinced to take the plunge, although password managers and security keys seem harder to implement when families are involved with shared passwords and access like they are in my household. I guess that sharing just makes the security more important, but it requires changing some habits as well as adding some new technology like security keys.
Oh passwords managers make it even easier for families because you can share passwords super easily!
Naomi! I love your videos on security issues, always well researched and clearly presented. I’m hoping you will do an in depth video on PASSKEYS soon!?!? any clues as to when we can expect this?
🙏
I allways wanted to get a Key, but was overwhelmed by all the information, thanks for clearing this very important topic for nubs like me greeings form Switzerland
This channel is a blessing. Your videos are amazing! ♥️♥️✨
Great video Naomi, Yubico, what a great explanation......Thank you!!
Another great video to get my head around. Thank you Naomi
I have thought about this level of security for quite some time. After this review, I think it’s an important addon to consider. I think I will order a Yubi
Great video! Thanks to you and Yubico.
Thanks Naomi. Looking forward to your open source comparisons and options. Assuming Nitrokey and hopefully soon Mullvad.
Loved you honest and easy to follow video , thank you ❤️
I been using them for years love these keys, btw love love your channel.
Naomi Is Awesome! Thanks for The Insights and Tips. I've learned A Lot watching Your Videos. Thanks
Naomi represents greatness.
Brilliant so much information but very useful and helpful, thank you.
You are the BEST Naomi !!!
Great video. I have been using Yubikey on critical accounts for a while now and it helps me sleep at night. Still shocks me that Bank of America only allows 2FA via SMS or email. I have written the angry emails but they don’t care.
Every bank I've used has only ever allowed SMS as 2FA. It REALLY makes me mad, and I don't understand how institutions that handle sensitive, financial information don't have security keys or, at the very least, OTPs as a method of 2FA.
Financial institutions (like banks and credit card companies) are notorious for not supporting physical keys as 2FA.
Bank Of America does support Yubikey.
Great explanation Naomi!!
Excellent breakdown of security keys
Great video, lots of useful stuff, thanks
Great info. Thank you Naomi.
Very very useful info Naomi. Thank you. I think losing these keys are going to be a problem....
Make a backup!
Great video. Thank you!!
What happens when the security key malfunctions? To fix this two or more security keys should be made registered where either one of them can be used to unlock the user from the mess.
I was also worried about this... What if I loose it, or it is damaged... Will I be locked out of my accounts?
Naomi didn't mention if there was a seed phrase or something similar to use to recover if those scenarios happen.
That's why they said to get multiple keys. Having a seed phrase somewhere is a risk. If one key breaks or gets lost, you can use the other. If you register multiple keys to an account, you can use any of them to access it.
@@TMOC1977 That's why she said you need to get a minimum of 2 keys
I have used yubikeys for years... Everyone should do the same, in fact some of my relatives and friends are going to receive yubikeys as Christmas' present.
Thank you sooooo much for doing this video! I use 2FA on my of my accounts but my old email was hacked recently, and it was devastating. I saw this security key option on some accounts, but it was very confusing. I will be ordering one of these options directly from the supplier tonight. Thank you again for helping to keep us safe.
💛
my bank has rescinded email and landline options for receiving verification codes and will do so only on smartphones
@@edwardmacnab354 : The problem with have a code sent to a smart phone is, if I am outside my home country I don’t use my phone because of the high roaming cost.
I once had to open my phone, in a different country, and after being closed for a month I received hundreds of emails and notices that were “parked” because the phone was closed. It cost me a fortune just to use my phone for five minutes. With email, I can use WiFi on my iPad to receive the authorization code without any cost. Using your cell phone is fine if you are within your provider’s territory.
@@Itsme-vo4fx I have two situations where my bank AND microsoft on windows 11 will not allow email or landline but only text and I do not have a mobile device that receives text. I have a landline that does not do text . Also, thanks for the heads up on that "parked" dam burst overcharge situation . with the backed up email . Terrible !
Excellent information!
When you talked about TOTP you could have referred Aegis OTP android app, It's Foss! Great work regardless!
Very informative, thank you
Hello. I go through google translate (sorry, I'm French): Thank you for your video which is very instructive. You demystify computer security.
Thanks so much for watching! 🥐
Great video!
I like this vid. Good insight.
Excellent video and couldn't have come at a better time as I've just received a set of security keys but have not set them up yet.
I have read online of people using the same code to register their main as well as backup keys while in the video, the backup key is registered with a different code from the main key. Maybe seasoned security key users here might be able to comment on which method is better? Or maybe it doesn't make a difference?
I have a variety of devices on several platforms and the one that makes me hesitant about the YubiKey is the support for USB-C iPads isn't great. It's an Apple problem, not a Yubico problem, but still something to consider.
Thanks for adding actual captions for the Deaf
Nice content👍👍 can you secure a computer or mobile device operating system with a yubico key
GREAT INFORMATION!👔😀
It's the best 👌 thanks alot
Thanks...I got a Yubikey a couple of years ago and it wound up being more of a pain than anything else. Not really the key's fault but the number of websites that didn't support 2FA via a security key. Most of them did support one or more authenticator apps so that is the way I've gone when I could and SMS when that is the only thing available. Now If I could just get the rest of them to move away from re-Captcha
Yubikey 5 supports TOTP, which are the authenticator app codes. You can use it those as long as you have the Yubico app that supports them.
That being said, I still think even the more basic Yubikeys are worth it for protecting your most sensitive accounts (email, password manager, bank if you can). Even if most regular things don't support it, the important things do, and that's what matters imo.
SOOOOO helpful!
Hi Naomi, best 2fa for iPhone, many options, don’t know how to choose. I’m little slow😂😂😂😂thank you
What's TH-cam doing not recommending this channel all those years?
I too was also a Contractor for many years in the communications industry.
I literally got to install the very first real time Packet Sniffing Server on the West Coast of Canada Friday the 8th 2001. At that time the Co that i worked for handled about 99% of the Data on and off Vancouver Island British Columbia Canada.
The Black box was mandated to be installed in every head end in Canada that sold the internet or lose the ability to sell the internet. Mandated by the CRTC just before 911. Funny part of that story i helped install that Black box Friday and then Tuesday this group of people flew planes into building and life changed for everyone almost instantly. Pretty funny story when only a couple of us new that 1/2 mill box was sitting in our head end. The going joke back then when someone was standing next to it.. We would mutter.. That's one hell of a Black Box.
As of late we have been told that the federal police in Canada's Communications network is now compromised by overseas Countries, last week we were told that all Video surveillance security devices in North America also compromised. My bet is not one chip shipped in the last 50 years would not pass the new inspection process. Pretty funny story Bro.
Thanks for your expert research and information! ❤
Can using a security break siloing/isolation by being linked through the Key ID?
Reflections and observations....
1) Showstopper bugs as more of these are deployed. Emergency patches for your little key.
2) Your primary and backup both get stolen/damaged/lost, especially when traveling internationally.
3) The joy of dealing with logins when traveling after both keys, for whatever reason, choke.
4) Designing security that relies on cheap, fragile dubious hardware.
5) Hacks to work around the root cause, which are operating systems that have horrible, creaking architectures baked in which invite endless flaws and bugs (0 day exploit du jour).
6) Making the login process so tedious and annoying that people just start avoiding doing business online as the overhead, stress and drama is intolerable.
7) You need a trusted friend or family member to log into your account during an emergency (like being detained by authorities in some borderline police state) and they have confiscated your keys. You are so screwed.
The examples given above are all based on real events encountered over the years in my job.
I've been in the computer security business for a long time. It continues to devolve. Hacks on top of hacks.
I'm halfway through Cory's "Attack Surface", so I'm inclined to believe you.
Plus the other peeps above who mention the Security Keys are only ever an "option" for websites, with the fallback being phone text or email, which seems to render these keys of very little actual use.
Please start a channel ! ALSO--- I'm going to use phone text verification for all my online banking transactions , it seems reasonable but then, the bank gives me no other option anyway. I cannot say how well this works as I haven't even set it up yet . I wish I could just mail cash to people , far less risky !
Thanks
Thanks again for the great information! So do I understand that correctly that to back up your login method in case you lose/break your key, you still need a different (ideally 2FA) method to log in? (Be it another key, TOTP etc)
Yes. Backing up your 2FA is indeed a problem few people talk about. This area is where authenticator-apps based schemes actually have an advantage: most offer to back up your set of TOTP settings & secrets automatically & regularly. However, those backups have to be stored in a safe way, too.
As for hardware tokens: I have several friends that actually have two sets of tokens: one for daily use, carried around with them; and another one for backup purposes, stored somewhat safely but still easily accessible. For each new site they want to access they enroll both hardware tokens.
If you don't have any type of backup of your 2FA device/software, you implicitly rely on the site's password recovery functionality - and all the insecurity that might entail (mostly a question of how secure your email account is). Then again, I don't know a lot of sites that actually allow you to disable password recovery functionality for your account. It's all a bit… meh.
@@mbunkus Oh, I didn't even think about the password recovery options, thanks a lot for your insights!
at 16:41 you say that if your key is lost/stolen, you just log into the affected accounts and delete that key. So I assume you have to use the backup key to log in, right? Thanks.
Thanks!
Wow thank you so much for your support!!
Great idea, too much trouble, all my users forget or lose their keys unless you tie it to them.
Also it better be frost, heat, and water resistant.
PIV is definitely my favorite way to authenticate...
And I'll see myself out now.
If someone gets hands on your security key( yubikey) can it be modified?
Do you need multiple physical keys, for example, if you had more than one twitter or gmail account?
It seems like the Webauthn passwordless technologies such as Apple Passkey eliminate the need for hardware keys such as the ones made by Yubico, at least for individual users. Do you agree?
Yubico's website suggested the bio series don't have PGP. I'm confused.
Is the Google Titan key good?
can i add yuby key on to the trezor?
Minute 16:30 if someone steals my bag that has my laptop and authentication key. How can I log into my account from somewhere else when I don't have the key and I didn't make a backup?
So two or more keys can be tied to any one account at any one time, and any one of the keys can grant account access?
I use these yubikey security keys and they can be a hassle to use. Especially if you want to make a backup key later.
Hi, thanks for the video. I would like to mention though that I come from Instagram and the title of your videos did not make it easy to find the one I was looking for 😅
Can you make a video privacy focused NAS/Home cloud storage.
I'd always thought it was strange that asymetric keys weren't used for web site authentication. It's nice to know this tech is now being utilised.
It already does. Web sites now use https and it uses public key cryptology to prove that you are connecting to a site that it claims to be.
@@catchnkill Yeah that's not what I meant. I meant that you can't register to a site by giving them a public key so then only someone with the corresponding private key could then login to that account.
If I am using security keys do I turn off all other 2FA options (SMS and Authenticator App) to maximize security? Or is it okay to leave another option turned on (for example Authenticator App) in case I lose my security keys? In other words, what are the recommended best practices when, for example, an account like Facebook allows for several 2FA options to be turned on at the same time?
I would turn off sms where you can
Where do i make the purchase for those security keys? 😮
Make a video about Google authenticator. Because Yubico key it's not selled in my country : (
Your video has spurred me on to look in to these devices. A quick comparison on price with Yubico and Google's Titan shows the latter at 2/3rds the cost of Yubico and the Titan cost is for two devices.
Now I know one usually gets what one pays for but these do look very simple solid state hardware devices so am wondering what would prompt someone to buy an expensive one.
www.zdnet.com/article/new-side-channel-attack-can-recover-encryption-keys-from-google-titan-security-keys/
@@NaomiBrockwellTV Thank you for prompt reply. Report does suggest physical possession of key is required to enact the vulnerability so guess it negates that weakness unless keyholder is a particular target.
Further to my earlier query, the Google Titan sales page is a wee bit misleading, under what's in the box it gives the impression two devices are included, it is actually just one which therefore negates any initial bargain impression.
You can't state it enough. You need to be as secure as you can make yourself online. No one is going to take care of your online presence if you don't do it yourself. You may be just one fish in a huge ocean, but there are many people just looking for an opening to take whatever they can get from as many people that they can to benefit themselves. So, using any extra security just makes sense, even though it may be sometimes annoying to have to use it.
Once you start using extra security and get used to using it all the time, you will not notice that inconvenience anymore. It'll just be habit.
I got 6 yubikeys, 2 security keys, 2 Yubikey 5C NFC USB-C and 2 Yubikey 5C NFC FIPS 140-2 USB-C. Not gonna lie it’s very addictive!
What if Last Layer would have Weakness for messing everything around and no point for previous Inputs?
If an online service (primarily banks) only offers Email or SMS for 2FA, would Email be the better choice if it's locked down with a Yubikey?🤔
A service locked with a yubikey is going to be better protected I would presume
I use my Yubikey 5 for my Windows login also.
You look amazing without glasses.
What if my email is MSN and not Gmail AND the email is hidden in a Password Vault? AND, what if I want to only use a Security Key for the iPhone and NOT the Desktop Computer?
You didn't discuss the most important issue: compatibility with web sites that the individual needs to use. The much larger challenge is for web sites, enterprises, services, etc. to adopt a given mechanism for individuals to use for 2FA. What good is any of these security keys of web sites don't offer it as an option for 2FA?
At the end of the video around 17:00, you briefly discuss this, but you could enhance the discussion by addressing the various protocols and the problem that, even if a web site offers security key 2FA, the problem is compatibility and support of specific systems and protocols.
Very interesting videos about security. I have one doubt though: I feel these keys are really secure against online threads, but aren't they much less secure physically? I mean, what if your children take it while you're sleeping to buy stuff online? Or worse, why if during a break at work, you leave it plugged in your laptop and a college or boss use it to spy on you?
My examples are quite simple, but I suspect there're some potential risks there, at least from a first look at it.
Well even if they had the yubikey they would need to have access to your open computer with an open email right? Just remember to log out and it is fine.... And if this still concerns you, get a bio yubikey that requires a fingerprint too
I'm using Google titan keys , with Google advanced protection enabled , I found yubi to be a bit tricky on android
As far as I know, banks in India provide only SMS based 2FA, which is highly insecure and most government bodies don't have any form of 2FA at all. If they do, it's only SMS based 2FA again. 2FA and security in India really needs a big boost.
Banks everywhere are notoriously awful with customer security options
Now if they could make one with builtin key fob ability and schlag door locks that support ncf and fido and then just slap an airtag key chain on it and it would be the only thing and your phone you'd have to go out the door with.
Now you have to use passkey in Google so how do I go back to only using a security key.
they are quite expensive, but worth it
So where are all of the follow up videos going over keys other than YubiKey and Fido2 authentication???
With the increasing number of websites that mandate you to download an app on your phone, and then scan an on-screen QR code for authentification, there needs to be a safer alternative for those who don't want the risk of a phone app. One better way of doing this would be a dedicated device, or just an updated login key device, that would have a camera that would allow to scan on-screen QR codes.
My bank uses 2FA codes sent by email-but I have also set up with it voice identification. So isn’t that really 3FA?
Can I later opt out of using a key? What if I lose the key?
create a backup. And you can always opt out later.
❤️❤️❤️
I lose my car keys...can't imagine carrying a Yubi key. 🔑
Do you lose them just in your home or everywhere you go?
This is why you never buy just one, buy at least two, personally I have 3. Keep one spare at home and the other at a trusted family member’s home
@@kimsvendsen chances are your SMS codes are more likely to get hacked via sim swap or clone rather than hassles of these keys
@@speedracer9132 fact is, as much as we like to think hacking is solely technical, hackers always go for the lowest hanging fruit.
Some countries have much stricter regulations and invasive identity checks for SIM registration like compulsory in person checking, (though easily beaten by corruption.) Even then, pickpocketing and theft are more common, making an authenticator app or sms more safe in these cases. Hell sometimes you can't even buy genuine hardware keys without insane tariffs & markups as an individual.
This is why threat modeling is necessary. In edge cases, fundamentally more secure options can end up being less optimal.
@@kimsvendsen Loose 1 key still have your hardware YOU can remove the lost one, but if they get in your house and stealing all together you maybe right I dont know, what I do know is SMS is weak and easy to intercept. Conclusion, maybe you need to look a better way for 2FA sms? Solution, I dont know what is the best and most secured way. It depends personal and in wich case because we use all different senario. That is why for example a Yubikey has not just 1 kind of key, but many to choose from.
Tubi key 🔑 is the best for security.
Can you show us how to set it up? It’s hard to understand
Good idea, perhaps I'll put out a supplementary video. In the meantime, whichever account you want to add this 2fa for, go to the security settings for that account, and it will tell you whether they support security keys or other 2fa methods!
What is the use of 2FA and security key if your wifi is hackable with a single linux command ?
Why do u hack the wifi in the firdt place, is it not to get password, now via security keys no password to send. The private key only stays on the device, you can't get it.
the problem that render this keys unless is that when You get your session cookie after you do your MFA. If your session cookie is long-lived, and the adversary steals it, then they can impersonate you without compromising your MFA.
So basically u have to buy 2. And u need to take this key with u every where if u want to access your account(s). Its interesting idea. But I can seeing being really inconvenient at times.
The question is, does these keys support crypto wallets like trustwallet, metamask etc?
Yes it’s more inconvenient, absolutely worth it for the increased security.
Realistically, you only need to link it to your most sensitive accounts, which you probably won't need to re-login to often, and you can attach a Yubikey to your car keys or something like that as well so it becomes less of a hassle to remember.
Will passkey make hardware key’s irrelevant?
I don't think so, you should still use 2fa even when passwordless
Would be even better if they allowed people to choose this as the first factor of authentication before the password can be tried.
What about Pegasus?
Wouldn't using a hard key be 3FA?