Thanks. That method relies on end-users (i.e. the weak link) setting it up to match their working hours, and assumes the prompts come at night. Another tactic is to send them at the start of a working day when people are likely expecting a legitimate promot anyway. When I'm away from my desk it's not uncommon that something I'm logged in to will time out, reconnect, and I'll get a prompt. Without some form of matching there's no way to tell if it's legitimate, and there's a risk of people becoming conditioned to pressing "yes".
I appreciate the copious amount of info, clearly laid out in sequence, on this video. Do you recommend getting the Yubikey directly from the manufacturer or will Amazon suffice? I ask because I see parallels with Crypto hardware wallets where it is universally recommended to buy directly from the manufacturer (thus removing the threat of tampering).
That's a good question. Yubico has a list of official reseller partners here: www.yubico.com/support/resellers/ Any of these should be safe, having been vetted and approved by Yubico. The link in this video's description takes me to the Amazon UK store of Distology - one of Yubico's approved UK distributers. In other countries it may direct you to different Amazon store, appropriate on your location. If you check the seller is on Yubico's list you should be safe.
Thank you so much for your hard work! 😊 I’ve got a question: 🤨 I have a set of words 🤷♂️. (behave today finger ski upon boy assault summer exhaust beauty stereo over). Not sure how to use them, would appreciate help. 🙏
why cant we have a 2 factor authentication that involves businesses doing something in the background that the user does not have to bother with? for example, why not have something something that does not involve the user chasing around some sms code or pass code? lots of people do not like 2 factor authentication, they say its annoying. maybe businesses should listen to people and get rid of 2fa or find something that is less annoying to verify someone's identity.
I'm still somewhat hesitant to these dongles because of practical use. Will you use them each time you login to your email/facebook/etc? you carry them around the whole time? Or do you accept some devices as trusted? There is always this trade between usability and safety.
Mine's on my keyring. I can't leave the house or get in my car without my keys, so it's always close to hand. There is a tradeoff when it comes to trusting devices. I'd say you always need MFA for the initial login, and if you trust a device it needs to have some protection on it, but other than that the duration you trust it for is based on risk. My Facebook account - don't really care, require MFA then let me stay logged in. Anything that can be used to access customers - require MFA every single time I switch on.
Hi there...Have a question for you. I bought (2) Yubikey NFC 5 series after watching your videos. I did the set up process on my Macbook Pro and iPhone. But I could still sign in using my laptop password only, Yubikey will only prompt me to enter my Yubikey code IF the key is inserted in the USB-C. Am I supposed to disable my laptop sign in? Same with my iPhone, I can still sign in with my phone passcode or face ID. It's not asking for the Yubikey. Kindly advise....Thanks much!
I'm not 100% sure what you're trying to do. The authentication method covered in the video was FIDO2/WebAuthn, which is used for authentication to websites. The YubiKey 5 can be used for other authentication methods as well, including acting as a USB smart card (also called PIV). If you're logging on to a Mac with it, I suspect that's what you're using. I don't have a Mac to test with, but the instructions here may be helpful if you've not already seen them: www.yubico.com/works-with-yubikey/catalog/macos/
Demos from Google and Microsoft usually show passkeys being set up tied to devices eg mobile or PC. Now I see Password Managers are starting to store passkeys - how does this tie into devices? Is the passkey tied to the PWM and thus available to use on all devices where the PWM is installed? Hardware eg Yubikey has the hassle of creating 2 copies as backup and seems for the average user more hassle than software passkeys.
Passkeys tied to individual devices are perfectly good. I'm not so keen on passkeys that are synchronised between devices (e.g. sync'd to a Google account or a password manager). This makes them more convenient but it partially negates the security benefit of requiring access to a specific device if you only actually need access to a specfiic account to retrieve the passkey, and can access that account from anywhere. They're still better than using a password, but not as secure as a standalone FIDO2 device. What I find myself doing these days is registering a Windows Hello passkey for each of my regular computers, and then a YubiKey I can use if I'm using any other device or as a backup to Windows Hello. I think that's a good balance between security, convenience, and flexibility; but it requires more thought than just slapping in your Google account onto every device.
@@ProTechShow Thanks. For mass adoption of passkeys there really needs to be a single simple way to do it otherwise the mass market ie non-IT, won't adopt it. FIDO Alliance is aware of this but guess it will take some time to firstly adopt and secondly implement a consistent method.
Yes, I agree. I suspect passkeys that sync to Microsoft/Google accounts will end up being the solution that gets adopted by most as they'll be built-in with a lot of devices and the respective vendors will shove them down people's throats. I'm not a big fan of syncing it to an online account, but it is the path of least resistance. There is already a problem with Google accounts being targeted to get at all of the sync'd passwords from Chrome, and this will increase the impact of thoses attacks if it exposes your passkeys as well. It also creates a chicken-and-egg probelm - if you need to log in to your Google (Or Microsoft, password manager, etc.) account to get you passkey, you can't use the passkey to protect the Google account that contains all of your keys. So I assume the account with all the keys will need to have a less secure way to log in... Still, I don't want to complain too much because it's an improvement over the basic passwords most people are actually using!
I been at this a month now about the sms can be hack the email about the down side the voice mail thr Yubi key I am old school I am facing the unknowns it's like I am facing a nightmare it's something new to login.
Depends how it works. If it's storing a unique key securely on the device then it's a valid possession factor. It depends how securely the key is stored and how well it validates the identity of a target website before it passes through the authentication. I wouldn't be keen if it syncs with multiple devices as it partly undermines the proof of possession. If it's a password manger extension that includes 2FA then my thoughts are covered in this video about the way Bitwarden does it: th-cam.com/video/646dlqdcbMk/w-d-xo.html
Yubikeys and similar physical keys seem to be poorly designed for their intended purpose of portability; in my pocket, it would end up with lint, sand, dog fur... Looks like a good market niche for yubikey cases...
I've had a YubiKey in my pocket for a couple of years. It's attached to my keyring so it goes everywhere - beach with the kids included. It doesn't really have any gaps for stuff to get stuck in so it hasn't been a problem for me. My car keys are more likely to collect dirt than the YubiKey.
This video needs to go viral in every company
Thanks! Make it happen, folks 😉
Couldn't be more timely! Great overview!
Thank you 🙂
Very happy with my new Yubikey and reassured with the additional layer of security its giving me. Many thanks for the inspiration to look into this!
You're welcome. Glad to hear it was useful!
Great video! But for the MFA fatigue you could just disable notifications for certains apps at night for example, and just ignore the prompts.
Thanks. That method relies on end-users (i.e. the weak link) setting it up to match their working hours, and assumes the prompts come at night. Another tactic is to send them at the start of a working day when people are likely expecting a legitimate promot anyway.
When I'm away from my desk it's not uncommon that something I'm logged in to will time out, reconnect, and I'll get a prompt. Without some form of matching there's no way to tell if it's legitimate, and there's a risk of people becoming conditioned to pressing "yes".
I appreciate the copious amount of info, clearly laid out in sequence, on this video. Do you recommend getting the Yubikey directly from the manufacturer or will Amazon suffice?
I ask because I see parallels with Crypto hardware wallets where it is universally recommended to buy directly from the manufacturer (thus removing the threat of tampering).
That's a good question. Yubico has a list of official reseller partners here: www.yubico.com/support/resellers/
Any of these should be safe, having been vetted and approved by Yubico. The link in this video's description takes me to the Amazon UK store of Distology - one of Yubico's approved UK distributers. In other countries it may direct you to different Amazon store, appropriate on your location. If you check the seller is on Yubico's list you should be safe.
Thanks for this one Andy - very helpful. I will have to login to my HMRC account soon, pretty sure they use a SMS one time code for 2FA.
I'm sure they can use TOTP as well (they have their own app but it it's a standard TOTP that will work with any app)
Thank you so much for your hard work! 😊 I’ve got a question: 🤨 I have a set of words 🤷♂️. (behave today finger ski upon boy assault summer exhaust beauty stereo over). Not sure how to use them, would appreciate help. 🙏
why cant we have a 2 factor authentication that involves businesses doing something in the background that the user does not have to bother with? for example, why not have something something that does not involve the user chasing around some sms code or pass code? lots of people do not like 2 factor authentication, they say its annoying. maybe businesses should listen to people and get rid of 2fa or find something that is less annoying to verify someone's identity.
I'm still somewhat hesitant to these dongles because of practical use. Will you use them each time you login to your email/facebook/etc? you carry them around the whole time? Or do you accept some devices as trusted? There is always this trade between usability and safety.
Mine's on my keyring. I can't leave the house or get in my car without my keys, so it's always close to hand.
There is a tradeoff when it comes to trusting devices. I'd say you always need MFA for the initial login, and if you trust a device it needs to have some protection on it, but other than that the duration you trust it for is based on risk. My Facebook account - don't really care, require MFA then let me stay logged in. Anything that can be used to access customers - require MFA every single time I switch on.
E
Hi there...Have a question for you. I bought (2) Yubikey NFC 5 series after watching your videos. I did the set up process on my Macbook Pro and iPhone. But I could still sign in using my laptop password only, Yubikey will only prompt me to enter my Yubikey code IF the key is inserted in the USB-C. Am I supposed to disable my laptop sign in? Same with my iPhone, I can still sign in with my phone passcode or face ID. It's not asking for the Yubikey. Kindly advise....Thanks much!
I'm not 100% sure what you're trying to do. The authentication method covered in the video was FIDO2/WebAuthn, which is used for authentication to websites. The YubiKey 5 can be used for other authentication methods as well, including acting as a USB smart card (also called PIV). If you're logging on to a Mac with it, I suspect that's what you're using. I don't have a Mac to test with, but the instructions here may be helpful if you've not already seen them: www.yubico.com/works-with-yubikey/catalog/macos/
Demos from Google and Microsoft usually show passkeys being set up tied to devices eg mobile or PC. Now I see Password Managers are starting to store passkeys - how does this tie into devices? Is the passkey tied to the PWM and thus available to use on all devices where the PWM is installed?
Hardware eg Yubikey has the hassle of creating 2 copies as backup and seems for the average user more hassle than software passkeys.
Passkeys tied to individual devices are perfectly good. I'm not so keen on passkeys that are synchronised between devices (e.g. sync'd to a Google account or a password manager). This makes them more convenient but it partially negates the security benefit of requiring access to a specific device if you only actually need access to a specfiic account to retrieve the passkey, and can access that account from anywhere. They're still better than using a password, but not as secure as a standalone FIDO2 device.
What I find myself doing these days is registering a Windows Hello passkey for each of my regular computers, and then a YubiKey I can use if I'm using any other device or as a backup to Windows Hello. I think that's a good balance between security, convenience, and flexibility; but it requires more thought than just slapping in your Google account onto every device.
@@ProTechShow Thanks. For mass adoption of passkeys there really needs to be a single simple way to do it otherwise the mass market ie non-IT, won't adopt it. FIDO Alliance is aware of this but guess it will take some time to firstly adopt and secondly implement a consistent method.
Yes, I agree. I suspect passkeys that sync to Microsoft/Google accounts will end up being the solution that gets adopted by most as they'll be built-in with a lot of devices and the respective vendors will shove them down people's throats.
I'm not a big fan of syncing it to an online account, but it is the path of least resistance. There is already a problem with Google accounts being targeted to get at all of the sync'd passwords from Chrome, and this will increase the impact of thoses attacks if it exposes your passkeys as well. It also creates a chicken-and-egg probelm - if you need to log in to your Google (Or Microsoft, password manager, etc.) account to get you passkey, you can't use the passkey to protect the Google account that contains all of your keys. So I assume the account with all the keys will need to have a less secure way to log in...
Still, I don't want to complain too much because it's an improvement over the basic passwords most people are actually using!
I been at this a month now about the sms can be hack the email about the down side the voice mail thr Yubi key I am old school I am facing the unknowns it's like I am facing a nightmare it's something new to login.
Any factor that requires me to have a phone with me is a no-go.
Fair point. There are a couple of places I've worked where phones aren't allowed onsite, so dongles it is.
What are your thoughts on 2fa browser extensions
Depends how it works. If it's storing a unique key securely on the device then it's a valid possession factor. It depends how securely the key is stored and how well it validates the identity of a target website before it passes through the authentication. I wouldn't be keen if it syncs with multiple devices as it partly undermines the proof of possession. If it's a password manger extension that includes 2FA then my thoughts are covered in this video about the way Bitwarden does it: th-cam.com/video/646dlqdcbMk/w-d-xo.html
nice
Thanks
Yubikeys and similar physical keys seem to be poorly designed for their intended purpose of portability; in my pocket, it would end up with lint, sand, dog fur... Looks like a good market niche for yubikey cases...
I've had a YubiKey in my pocket for a couple of years. It's attached to my keyring so it goes everywhere - beach with the kids included. It doesn't really have any gaps for stuff to get stuck in so it hasn't been a problem for me. My car keys are more likely to collect dirt than the YubiKey.
Awesome!
My dongle 🤣