How Does a Hardware Security Key Like YubiKey Work?

แชร์
ฝัง
  • เผยแพร่เมื่อ 27 พ.ย. 2024

ความคิดเห็น • 99

  • @graytonw5238
    @graytonw5238 ปีที่แล้ว +22

    This is one of those things that make me go "...hmmm". I learned a little more about it from this video though. During my sysadmin days (thank GOD I'm retired from that now!) I had guys in the shop who literally wore out their USB drives and laptop USB ports from constant plugging and unplugging, so that they became unusable. In addition to the fear of losing your YubiKey, I always worried about the eventuality of the key simply failing from use. But having the fail-safes of one-time codes and multiple 2FA backups does allay those fears though. I agree on the topic of using it for case of needing ultimate security, it wouldn't get any better than that. Great overview!

    • @xybersurfer
      @xybersurfer ปีที่แล้ว +3

      some of these keys can also use NFC. i also worried about the same

    • @portman8909
      @portman8909 9 หลายเดือนก่อน +1

      I’m a sys admin and we will be enforcing 2FA for all our users. A contract for security keys will be signed and we’ll be supplied with the amount we need plus backups. If a user loses their key it’s no problem our administrators will reset their 2FA and allow them to set up a new one.

    • @chingatumadregoogle1344
      @chingatumadregoogle1344 7 หลายเดือนก่อน

      Un phones you got nfc or buy one for laptop or just a dongle for your usb so the replasable external is the one to wearout

    • @StijnHommes
      @StijnHommes 3 หลายเดือนก่อน

      The USB port on my phone has worn out. Besides, I wouldn't want to plug anything in there anyway.
      A Yubikey is just another roadblock to slow honest users down while having little to no effect on hackers.
      We should just stop treating all these scammers like their scams have any credibility.
      Let's start by getting local governments to stop stores from importing and selling Yubikeys to protect people from themselves and business greed.

  • @JadeSambrook
    @JadeSambrook ปีที่แล้ว +8

    Thank you Leo for this very helpful video. You are the only one out of all the privacy and security TH-camrs who addresses the question of using the Yubikey along with other 2FA. For example, Facebook offers 2FA by Authentication app, SMS and Security Key. And once I had set up my security keys in my Facebook account I was left wondering if I should turn off the other options to maximize security but I could not find an answer anywhere.
    Although you mention that there is only a very small incremental security risk by having other 2FA options turned on, Ive always wondered what is the point of having Yubikeys if the other 2FA options are turned on (considering the cost of buying a Yubikey). But now Ive understood from your video that only for my most sensitive accounts should I set the Yubikeys as my only 2FA option and for other less sensitive accounts it is okay to have some other 2FA options turned on (although I try to avoid 2FA by SMS whenever possible).

    • @millanferende6723
      @millanferende6723 หลายเดือนก่อน

      Yes or, to secure your accounts, incase you for example lose your phone or access to your Google authenticator. It is also good to have your main accounts (Gmail, social media, etc) backed up on Yubikey. This is what I am going to do.

  • @TuulaMaaria
    @TuulaMaaria หลายเดือนก่อน +1

    TH-camrs whose main income comes from TH-cam now seem to get suggested to only use multiple hardware security keys as authentification, with so many accounts getting hacked. I haven’t done that yet but will very soon.

    • @attemptive
      @attemptive 9 วันที่ผ่านมา

      i’m going to hack you

  • @AC-bw9tw
    @AC-bw9tw 7 หลายเดือนก่อน +4

    Thank you for talking normal instead of fast. I can understand you which is new!!! 4:29

    • @kevinmcfarlane2752
      @kevinmcfarlane2752 5 หลายเดือนก่อน +1

      Lol, lots of people do talk too fast in these sorts of video don't they?

    • @millanferende6723
      @millanferende6723 หลายเดือนก่อน

      @@kevinmcfarlane2752 Yeah, or incredibly slowly. His pace is just right, and it is very clear.

  • @petermarshall5450
    @petermarshall5450 10 หลายเดือนก่อน +3

    This was the very best explanation regarding this form of security. Thank you very much. Peter

  • @dgriffin6074
    @dgriffin6074 หลายเดือนก่อน

    Thank you. This is one of the best videos I have seen about the Yubikey.

  • @vatsaakhil
    @vatsaakhil 2 หลายเดือนก่อน

    I just had to do it myself, got my yubikey and damn it printed that string!! This was exciting!

  • @abhijeetduttPandey
    @abhijeetduttPandey หลายเดือนก่อน +2

    I think you forgot to explain the part about 'how the Yubikey works.'

  • @pokeba6408
    @pokeba6408 10 หลายเดือนก่อน +4

    Very well explained! Thank very much.

  • @bobsansmal
    @bobsansmal 5 หลายเดือนก่อน +1

    I would have liked to see much more detail about how these devices work. For example: the YubiKey types out a different string each time, so how does an online account verify that the new string it's never seen before is correct? Does it have to query a server a YubiKey at authentication time? If so, what does that query look like? Was some secret (like a public key) shared at the time of initial setup? If the YubiKey servers are ever compromised, would that compromise my accounts? Not that 2 factor services like YubiKey or, say.....Okta (ahem) are ever compromised... These are important details.

  • @NativeVsColonial
    @NativeVsColonial ปีที่แล้ว +6

    Can it be cloned like SIM Card cloning? I mean it has USB like structure which I think can be accessed when used in a proper software to view the data?!

    • @john-cv9dy
      @john-cv9dy ปีที่แล้ว +3

      not possible.

    • @neuideas
      @neuideas ปีที่แล้ว +4

      They are engineered to be very difficult to clone. In addition, there's a counter incremented with each use. If a cloned Yubikey is attempted to be used, the counter will be compared. If there isn't a proper match, the key will be invalidated.

    • @xybersurfer
      @xybersurfer ปีที่แล้ว +2

      @@neuideas enforcing the hardware counter is not a hard rule in the specifications. it's up to each provider of the service to decide

    • @FrankStjerne
      @FrankStjerne 10 หลายเดือนก่อน

      Timestamps is a part of the validation so a copy will have a different timestamp and it will not be working. There is a chip inside, that cant be accessed. It is like a secure enclave.@@neuideas

  • @StijnHommes
    @StijnHommes 3 หลายเดือนก่อน +1

    Why are you so worried about having passwords compromised on the one hand and then also completely not worried about having so many additional factors that having any of them compromised and used to lock you out? That's called double standards.

  • @toondesmarets3033
    @toondesmarets3033 2 หลายเดือนก่อน +1

    If you let several 2FA possibilities open ( Yubikey, google authenticater, text, email) then an hacker can choose which one he want to hack. The hacker has different option as well. He doesn’t need a Yubikey. He can choose an easier one as text or email. Or do I miss something?

    • @vatsaakhil
      @vatsaakhil 2 หลายเดือนก่อน +1

      Ideally yes, that is why it is better to combine two factors, i.e something you know+something you have

  • @jeanma2104
    @jeanma2104 15 วันที่ผ่านมา

    Good and clear content. Thanks

  • @goodluckgino
    @goodluckgino ปีที่แล้ว +4

    Great video Leo. Keep it up brother.

  • @SlackHoffman
    @SlackHoffman ปีที่แล้ว +1

    Hi, how to you check a yubikey right out of the box? I received one in the post but the packaging was damaged ! I wondered if there is a check that can be run on it to make sure it’s not been tampered with or should I just throw it away ?
    Or is there a way to reset it ?

    • @askleonotenboom
      @askleonotenboom  ปีที่แล้ว

      It's not resetable, but I'd reach out to Yubico (the manufacturer) and see if they have any advice.

    • @richstilke1227
      @richstilke1227 ปีที่แล้ว

      They don't work with Google, and most banks don't support them either. For the most part they are a waste of money. Even for a Windows login, you can just bypass it by entering the correct PIN.

    • @askleonotenboom
      @askleonotenboom  ปีที่แล้ว +5

      @@richstilke1227 My YubiKey works quite well with Google. I don't consider it a waste at all. (Yes, you do have to ensure that you haven't set up alternate mechanisms if you want the YubiKey to be the ONLY way to ID. You can turn off the PIN if you like.)

  • @skynetskynet4845
    @skynetskynet4845 3 หลายเดือนก่อน

    Thanks for this very clear explanation !

  • @steve_main
    @steve_main หลายเดือนก่อน

    7:00 Okay stupid question here.. If you have this super strong auth key and then you create a back door of 10 one-time use codes have you not reduced the security of the MFA to a single 10 chr password? Not only that you have 10 of them! So now it's not a needle in a haystack it's 10 needles in a haystak. Also pople accessing these keys will know it's letters and nubmers all lower case and only 10 chrs which even more reduces the guesses needed. I am so perplexed by this. Can someone please explain if this is okay/secure to have 10 one-time use passwords then why not only have them and why do you need a security key?

  • @SuperFredAZ
    @SuperFredAZ 6 หลายเดือนก่อน +1

    Excellent video!

  • @luckyrocks1
    @luckyrocks1 7 หลายเดือนก่อน +4

    Can we just quit using passwords altogether and submit a dna test instead? Because I am old and getting older and I am out of guesses as to what my current password is!

  • @starterplanet
    @starterplanet 6 วันที่ผ่านมา

    How does an account know the next password it generates is correct?

    • @askleonotenboom
      @askleonotenboom  5 วันที่ผ่านมา

      It's a long complicated answer, but the short version is that it's using public key cryptography. They security key has one of the key pair, and the system has the other.

  • @Matt-go7ss
    @Matt-go7ss 9 หลายเดือนก่อน

    So what if someone notices you have a yubikey on yoir keyring, steals it then knows where you have your laptop? You're screwed, right?

    • @askleonotenboom
      @askleonotenboom  9 หลายเดือนก่อน +3

      Only if they ALSO know your password. As soon as you notice your YubiKey is missing, sign in to your account (using a backup method also set up when you configured the YubiKey), and then remove the YubiKey from your account.

  • @jonmarcus1954
    @jonmarcus1954 6 หลายเดือนก่อน

    How does a Yubi key work if I don't have physical access to the machine that is accessing the account? For example, I am running on a Azure virtual machine. Can I remotely access the key?

  • @emmapeel4259
    @emmapeel4259 7 หลายเดือนก่อน

    My question would be if you use multiple 2FA methods, isn't your security only as strong as the weakest link (2FA). So really how does this security key going to protect you in the case of multiple 2FA

    • @hellouser5498
      @hellouser5498 7 หลายเดือนก่อน

      Doesn't make sense to have Yubi and leaving email or SMS 2FA on

    • @Our1stPlanet
      @Our1stPlanet 7 หลายเดือนก่อน

      Please correct me if im wrong,
      Other methods are only compromised when they are being used.

    • @kevinmcfarlane2752
      @kevinmcfarlane2752 5 หลายเดือนก่อน

      @@Our1stPlanet Impression I had was that they were for backups. I.e., you use the strongest 2FA (Yubi) until you _have_ to use one of the others because you lost or damaged your key

  • @alanglassman6473
    @alanglassman6473 9 หลายเดือนก่อน

    How would you use this on an iPad or iPhone where you do not have usb.

    • @darrentakesover
      @darrentakesover 9 หลายเดือนก่อน

      You can buy a lighting and or NFC versions. But Yubikey is limited on what you can use its for 2FA, its only my emails and password manager that I can use it for. IE not every website that has 2FA lets you use Yubikeys.

    • @paulscussel140
      @paulscussel140 8 หลายเดือนก่อน +1

      They have NFC

    • @alanglassman6473
      @alanglassman6473 8 หลายเดือนก่อน

      Thanks

  • @GD15555
    @GD15555 5 หลายเดือนก่อน

    is it immune to browser hijacking

  • @roobscoob47
    @roobscoob47 5 หลายเดือนก่อน

    Thanks, Leo~

  • @WaschyNumber1
    @WaschyNumber1 ปีที่แล้ว +1

    Is it not possible to make from a normal USB stick or nvme storage a key like the yubikey ? 🤔

    • @askleonotenboom
      @askleonotenboom  ปีที่แล้ว

      Not exactly. There are techniques that require you have a specific file that can eb stored on a thumbdrive, but it's not at all the same as what a YubiKey does.

    • @WaschyNumber1
      @WaschyNumber1 ปีที่แล้ว

      @@askleonotenboom OK, for me it's to expensive to buy one 60£ is not cheap and a good usb drive I can get from SanDisk for 20£ or even cheaper,depebd how much GB it needs. 🤔

    • @vishwanathnb128
      @vishwanathnb128 ปีที่แล้ว +1

      ​@@WaschyNumber1Its not about GB, its about how its built: the encryption and tamperproof.

    • @killer2600
      @killer2600 8 หลายเดือนก่อน

      Yubikeys look like usb thumb/flash drives but they are not nor will they appear as a drive when you plug them into your computer. They are more like smart cards, the kind you may have seen on your credit/debit card albeit you can't plug your credit/debit card into a usb port.

  • @mr.wigglemunch3856
    @mr.wigglemunch3856 9 หลายเดือนก่อน +1

    If I have two Yubikey's, recovery codes and the authenticator app, is it wise to remove the rest of the authentication methods like email and phone number verification?
    Also, in theory, if a hacker would simswapps my phone number, could he or she change all the other authentication methods in my Google account and make the first methods I mentioned useless??

    • @killer2600
      @killer2600 8 หลายเดือนก่อน +2

      If you are confident in your recovery methods, it is not unwise to remove weak authentication methods like SMS and poorly secured e-mail (whether it's on the users or e-mail services end).

    • @mr.wigglemunch3856
      @mr.wigglemunch3856 8 หลายเดือนก่อน

      @@killer2600 Right, thanks!

  • @jordan9632
    @jordan9632 6 หลายเดือนก่อน

    Any MFA is better than no MFA, but all MFA are not equal. Cell and email should be skipped all together.

  • @Summerbunny15
    @Summerbunny15 ปีที่แล้ว +6

    I would advise anyone using SMS as 2FA to activate mobile PIN lock - this is associated with your mobile phone number, so in the event your SIM is swapped, the bad actor cannot access your SMS messages as they would need the SIM PIN to unlock the fraudulent SIM on their device.

    • @killer2600
      @killer2600 8 หลายเดือนก่อน

      With SIM swapping they don't actually take the SIM from your phone, they just get your phone company to send a new sim for your account to them. SIM pins only lock the sim card you have in your phone, they don't have any effect on the new SIM your phone company sends to the perp.

    • @Summerbunny15
      @Summerbunny15 8 หลายเดือนก่อน

      @killer2600 - I'm aware they can't physically take the SIM from a phone in a SIM swap- however, as I said, the SIM PIN is associated with your phone number so they cannot use the fraudulent SIM to access your phone details on their device, as they will require a PIN. (I have a SIM PIN lock and everytime I switch my phone off and on again, I need to type my SIM PIN to get back into my phone- (it would be the same for a bad actor who swaps a SIM as the mobile number is migrated to the fraudulent SIM).

    • @Imw101
      @Imw101 8 หลายเดือนก่อน

      @@Summerbunny15 SIM PIN stops your SIM being used in another deivice. SIM swap is when the criminals obtain a clone of your SIM

  • @customer7903
    @customer7903 10 หลายเดือนก่อน

    My issue is Yubico your review is not showing the full picture. It takes 2 weeks to have them delivered and if there is an issue then the buyer has to pay for return postage and also their customer service is very slow and on occasions I have had to write to them more than one to even get a reply!!!

  • @ChibiKeruchan
    @ChibiKeruchan 10 หลายเดือนก่อน +1

    yubi key is far easier to understand than the passkey 😂 simply because it has physical key (kind of thing) associated with it.
    also you can just leave it at home in your vault and is the best kind of physical thing you can pass to someone in a cool way. just imagine you die and your lawyer pay a visit to your family to tell them your last will and testament and in the process they gave them your Yubikey 😂😂😂😂

    • @utuber1000
      @utuber1000 9 หลายเดือนก่อน

      I don't understand what I am supposed to imagine. Please explain. Okay, first my lawyer visits my family, then which is "them" and which is "they?" Are you saying my lawyer had the key and gave it to my family; or are you saying my family had the key and gave it to my lawyer? And why? The speaker in the video didn't say anything about all the passwords - where are they stored? Are you saying they are in the key? Or are you saying that with the key the family won't need the passwords? And is your scenario going to cause an argument amongst family members as to who gets the key? Or gets what? I thought the key only did 2FA not passwords.

  • @bernardmueller5676
    @bernardmueller5676 ปีที่แล้ว

    Why YubiKey? Why not Fido Security Key? - BTW, pressing the key is not sufficient. You have to enter a password for the key.

    • @askleonotenboom
      @askleonotenboom  ปีที่แล้ว +2

      You may not have to enter a password for the key. (At least I don't). And YubiKey is just my example. There are other secure keys out there.

    • @killer2600
      @killer2600 8 หลายเดือนก่อน

      For YOTP (Yubico One-Time Password) you don't have to enter a password. And why not just a FIDO security key? Because FIDO doesn't work across interfaces/connections that only permit keyboard character entries. That's where TOTP still shines and where YOTP was a hardware token game changer - with either OTP method one can implement 2FA in any interface that takes ascii keyboard characters.

    • @mrphillipzz
      @mrphillipzz 8 หลายเดือนก่อน

      Yuubikey 5 series is Fido compatible

  • @rholmst
    @rholmst 10 หลายเดือนก่อน

    I prefer google’s titan key.

  • @autohmae
    @autohmae ปีที่แล้ว

    Yubikeys are in different types...

  • @IntraVortex
    @IntraVortex 22 วันที่ผ่านมา

    They don’t work. Mine didn’t. The company sucks!

  • @TheSolderingGuy007
    @TheSolderingGuy007 9 หลายเดือนก่อน

    I am completely lost on how this method is not seriously more insecure.
    The problem with a lost key is not how you would get in !!! its how to prevent the new owner from entering you account !!!
    Most current 2FA are not 2 factor but 3 factor. Eg. you need to 1. know the password, 2. you need to have the phone & 3. you need to be able to unlock the phone (fingerprint/face/pin).
    What am I missing ?

    • @askleonotenboom
      @askleonotenboom  8 หลายเดือนก่อน +1

      I'm not sure where you're getting "more insecure". Hardware keys are more secure. Most current 2FA are two factor, even if you have to unlock your phone. 1) What you know (your password, AND your phone PIN), 2) What you have (your authenticator app). It can be seen as three factor if your phone unlocks with fingerprint or face ID (what you are).

    • @TheSolderingGuy007
      @TheSolderingGuy007 8 หลายเดือนก่อน

      So you are accepting that a person who steals the key and guesses the password can access your account.
      With the phone, they would need your fingerprint or face as well (the '3rd' factor)
      And stealing this HW key will be much easier, since:
      1. People will leave/forget it plugged into their computer out of laziness or convenience.
      2. The nano keys do not have a key hole, so no way to 'tie' them with your car/house keys for protection.
      How is that not more insecure ?

    • @askleonotenboom
      @askleonotenboom  8 หลายเดือนก่อน +1

      @@TheSolderingGuy007Those all seem like very low probability and easily avoidable events. (And remember, NO solution is 100% secure. No such thing.) More commonly people fall for phishing attempts, which can include catching 2FA codes from a phone in real time. A hardware key is impossible to phish - you need actual, physical, possession.

    • @TheSolderingGuy007
      @TheSolderingGuy007 8 หลายเดือนก่อน

      @@askleonotenboom not convincing. but thanks for trying.

    • @killer2600
      @killer2600 8 หลายเดือนก่อน

      There are 3 factors of authentication of identity: 1) Something you know e.g. password. 2) Something you have e.g. phone. 3) Something you are e.g. Fingerprint.
      Being able to unlock your phone with a pin/password makes it only 2 factor not 3. A password + a device + another password is still only needing to know your passwords and have your device which is 2 factors out of the 3.
      The risk of losing a Yubikey is lower than risk of your always-connected phone getting hacked with a zero-day exploit. Because of the convenience more people are exposed to internet-based hacking and over the phone/email scams everyday than they are to in-person theft. So physical items not connected to the internet are inherently more secure from those that we are most at risk to everyday. As for accidently losing a yubikey, it's a 2FA device which means it's one part of an authentication that requires two parts. The "new owner" would only have one part and wouldn't be able to log in presuming they would even know what accounts are associated with their new found key.
      TL;DR: Physical/offline security is vastly better than anything you do with your always connected to the world wide web smartphone. Even the best hackers in the world are foiled against a paper document laying on top of my desk - just can't quite make that last connection.

  • @davidcopeland5789
    @davidcopeland5789 4 หลายเดือนก่อน

    What are the weaknesses of YubiKeys? If you have a backup key, you obviously can't keep both keys on the same keyring. Suppose one of the YubiKeys is on a keyring and you loose your keyring with all of your keys. Will the finder of your YubiKey have access to all of your accounts? Suppose it gets stolen. What then? Do you rush home, find your backup YubiKey and remove the YubiKey from all of your accounts? If you have a backup YubiKey in a secret place, do you have to always be concerned that someone may find your YubiKey and access all of your accounts?
    These are things we need to know. What are standard practices to avoid trouble?

    • @vmobile890
      @vmobile890 2 หลายเดือนก่อน

      Spare key to a borrowed summer home is around my neck in that last 20 years. My youbi key same or medical tape to my chest .

  • @viewitnow3539
    @viewitnow3539 4 หลายเดือนก่อน +1

    2.5 min in and you're just repeating what a yubikey is ffs get to the point

  • @dumptrump3788
    @dumptrump3788 9 หลายเดือนก่อน

    So someone can come along, touch your Yubikey & it'll work anyway....yeah, really secure.

    • @askleonotenboom
      @askleonotenboom  9 หลายเดือนก่อน +3

      If they have physical access, that's your mishandling, not theirs.

    • @portman8909
      @portman8909 9 หลายเดือนก่อน +8

      Would you give someone your house key?