That's the exact reason I haven't bought a Yubikey yet. My bank account is one of the least protected because banks ironically don't seem to be interested in proper security. The only account I care about which supports yubikeys is the email account, which is important but it's just a single one.

Glad you made this point. Financial services have successfully externalized all of the costs to other parties, including us, their customer. Even Bank of America's WebAuthN implementation is pathetically lazy. By contrast, gaming companies have had to bear the burden of taking calls, creating tickets and recreating state in the game. In short, cost. So, they went looking for a better answer. TL;DR - incentives are for banks, sadly, to do nothing.

@@SaHaRaSquad I would recommend getting the cheaper fido keys( you should have at least two.. I have 3) and experiment with them on a site you do not care about so you can test the ins and outs

That's because they gotta cater for everyone... The larger population of users, the less secure it will have to be.. We always cater for the 'bottom line' the least secure.... The reason why banks usually won't adopt better security is "Our platform doesn't support it", or "it will be too costly". I would say its about bloody time users got educated.... We all wank bank to stop scammers for us as well, but going "so far" with anything, will force users to be better. To me, that is a good thing You can't expect a business to hold ya hand 100%..

@@Tech-geeky I am not sure I agree with your assessment. *That's because they gotta cater for everyone* Doesn't Social Media as well? If social media can manage to implement better security.. The banks should have no difficulty. And let us not forgot. This technology is available for those that want it. The broader clueless user base is not likely to forced to use this tech with obvious security benefits. But financial Institutions seem to be purposely taking steps that make accounts "Appear" secure without ACTUALLY being secure.

I agree. My current bank only uses SMS which is insecure. Better than nothing I agree but at least offer Google Auth as an option!

Yes! I was the victim of a SIM swap and haven't wanted to use my phone for anything since but am often forced to. Even though I invested in a hardware key, it's rarely an option on its own.

This is the real problem. So little support for hardware keys still.

Nah, my bank just asks for my dog’s name. I’m sure that safe.

@@notreallyme425 I generate random strings for each one of those. They are essentially passwords so you should make them secure.

I appreciate that!

it should be a part of the device itself, inside TPM

@@ShannonMorse so once you fail IT and this platform, when are you making a o/f ?

Smart!!

I wish they did this for online (and offline) credit and debit purchases - fraudulent charges would go to virtually zero. So just having the card number and details would not be enough for a purchase to go through. Some banks have started doing something like this using virtual card numbers.

Bank of America, at present is the ONLY U.S. bank I know of that permit their customers to secure their accounts with YubiKeys.

Much appreciated!

Agreed. I was hesitant to get one... I didn't understand them, and I was worried I could lose one. So I bought two, eventually, and when I used them I was an instant convert.

@@mschwage I'm so glad you decided to invest in some Yubikeys! You're doing it right!

Yesss this is the way!

What about those non smart phone users....yup...encountered it before.....

@@BDBD16 That's why phone apps are the primary option - but not the only option. For people without smartphones or who don't want to use their personal phones - the a yubikey covers those cases.

Hi, here is a simple trick. Give them the micro keys that will always stay plugged into their laptops/workstations. If you are trying to protect from stolen laptops, configure the yubikeys to also ask for a password, not just a tap. Another way I’ve seen it done was to suggest them to have them attached to their badge keyring or home keys.

I couldn't agree more. I work in IT Security and if you read my posted comment, it talks about people losing or forgetting their keys everywhere but on them.

Who are these people who are going to work without their keys?? The whole idea of these things is you keep one on the same key ring as your house key, so you're essentially never without it

We've seen websites that offer SMS and auth app. And the more rare SMS / key combo. If you're lucky you might get a website that offers one of each method or up to TWO keys. But, my favorite sites are the ones that allow you to use ALL methods and as many as you like. One change I would at least like to see is if you're required to have 2 methods to activate MFA, that you can use 2 keys and/or not have SMS be mandatory. But SMS is about "We know you're a human being"...at least that's what the American banks, etc, tell us. Are cybercrimes at the point where either phone companies or websites should be held responsible for sim swapping if SMS is the only 2FA method available? If the answer is "Yes", then what happens to users that refuse to use 2FA or websites that don't offer any? Like the recent password stuffing attack on PayPal.

This is exactly why I stick with TOTP instead of pushing forward with hardware keys. I can't trust myself to not lose it and royally screw myself over.

Yes, this is a big missing part. What they do often allow: a list of 'recovery codes'.

@@SgtKilgore406 I totally agree with this. I can't have everything tied to a single key. These keys are tough but they can get damaged or lost. You either can't have a second key or you have to leave a backup to get in that someone could just use to bypass the key anyway.

THIS! I don't know if they fixed it, but a while ago even Amazon AWS only allowed you to register one (ONE!) security key!

Hey welcome to my channel! I'm pretty active with the community here if you ever have questions or just wanna say hi 😄💓

That's correct!

I'm surprised OP missed that. I don't consider SMS or email as 2FA. All my 2FA are TOTP keys which as you said cannot be intercepted provided you are smart with your secrets. If it wasn't for my aptitude to lose things from time to time I wouldn't be as afraid to invest in physical keys. At this time I see it as too risky to use a security device that small and potentially that easy to lose.

But what happens if I lost access to my phone? The websites offer an easy way to restore my logins? I have that doubt :/

@@joseabraham777 There are two possibilities: - you backup your 2FA data in the app to the cloud - you use recovery keys which you can get from the site you login to (do this before losing your phone)

@@ericdere Please help me understand how these recovery keys don't completely undermine the concept of 2FA. A brute force attack can penetrate the static recovery keys even when the website tries to circumvent. Most of the recovery keys I have seen are 8 digits long max and the sites don't lock you out after multiple tries. Sometimes the recovery screen defaults back to the username/PW login screen after several failed attempts, but a crafty hacker can automate the brute force attack. At the very least, the recovery codes provided should be much much stronger.

still depends on weather people keep their device up-to-date and app(s). Apps depends on operating system and therefore device.. QR codes are not perfect either. and i wouldn't really reply on them for security. TouchID is better. Its all a stepping stone... How secure do you wanna be ??

Absolutes are never the solution. The security required needs to be tailored to each specific case.

Example: someone who’s job is welding or some other construction work and they never need to log into a computer at work.

@@Lucy-dk5cz I agree. Well stated.

set up a pin, disable key 1 asap in account with backup key. A thief would need to know your usernames and passwords unless you have it setup where you can login just using a key then you’re screwed 😬. You really do need a second key in case of doubts

Do yourself a favor & follow YubiCo's STRONG RECOMMENDATION, go back & buy a 2nd Yubikey, incase you lose your first one.

lmao wat

😆 did i read that correct?

@@Tech-geeky Of course I'm kidding. I'd have to keep them in a freezer and wait for them to thaw every time I wanted to login to GMail. Who has time for that?

This is not true. Twitter is only forcing you to pay to use SMS 2FA, not other forms of 2FA. TOTP and hardware keys are still possible for free.

@@dj_chateau Thanks for correcting me. I will research this further.

@@AnthonyGoodley You're welcome! Don't feel too bad about this one. When Twitter announced it and put up the alerts about it, it was so badly communicated to end-users that many of them would have reached the same conclusion you did when it was spelled out right to them. This led to a large amount of prominent Twitter users misunderstanding and reporting what you just did, which snowballs and propagates that misinformation. I think the other reason it was so believable was the logic that people wondered why Twitter thought people would want to pay for a less secure 2FA option. Which is a fair question. Why would they do that? It came down to cost-cutting to lower their bill with Twilio whenever any user would use SMS 2FA and most users not understanding the distinction.

I was a bit surprised this wasn't mentioned in the video since it seems to be what truly differentiates a FIDO2 key from for example an auth app or a "legacy" HW key. In my understanding FIDO2 protocol does protect from this type of attack, making it an "unphishable" authentication method.

@@steamfox How can they defend against this? The middleman essentially relays everything until validated.

@@gblargg The middle-man uses a look-alike domain. So if the domain name is used in the challenge: the response won't be correct for the real website.

@@jamesphillips2285 How does the USB device know where the challenge is coming from? Just forward the authentic challenge from the authentic site.

@@gblargg Without getting into the standards documents (Apparently U2F was renamed CTAP is how far I got), the browser must pass on the web domain as part of the challenge.

Thanks so much!

I just read about that last night!

@SME Pictures sure, but the difference is on the other side. Pressing accept on a prompt or having numbers flash on your phone is able to be seen/pushed/stolen by others without you doing anything if they have the right malware. Not the same for you taking a security key, inserting it into the device, and pressing the button. You can't screen capture or keylog that physical action.

Lastpass' day is over. I have moved on.

recently the Microsoft Authenticator app has started asking for a 2 digit PIN instead of just asking to accept, in most cases. the PIN is shown on the website you are logging into. when the request arrives at the app, then the app asks for the PIN to be able accept the request. i think that might be what they mean. this way you can't unintentionally accept a request that someone else made, because you don't even know the PIN that you are suppsed to enter to accept it. the attacker can't even spam you with requests because, and make you eventually accept to make it stop because you don't even know the PIN

LMAO, yeah that is on the Engineer who accepted the push not a flaw in MFA.

lmao, Car and House Keys are becoming obsolete with smart locks. You don't need a key to open your car anymore, you use a keyless fob. You also don't need a key to start you car anymore. Your comparison doesn't make sense.

* Your *. Are you aware I did a video about that 3 years ago? If not, go watch it! kzbin.info/www/bejne/f5qydWiEaaprpqc

If a hacker has already gained access to your computer, then you have much more serious problems with your network. But that's like saying you shouldn't lock your door in the future because one time you got robbed. 🫠 Why the heck would you not wanna first fix your network issues, and then harden your online security with 2fa?

@@ShannonMorse right on

I did a whole episode on cookies on my channel, you should check it out!

Hi! I answered this in my previous videos, 5 Myths About Yubikeys. kzbin.info/www/bejne/rJu3cml6mqlsr5o

@@ShannonMorse Thanks. I must have missed that video - will go watch now :)

Its best to buy 2... 1 is your primary & 1 is backup in case you lose the other. Keep 1 in your safe or somewhere secure.

@@Macleod1617 @ShannonMorse Thanks for the help. Just placed an order for two Yubikeys.

Hey, I did a video about this! kzbin.info/www/bejne/ZprUYXWdnrCfja8si=bH7HqS8xGnVOAZZc

Websites generate Backup Codes when you enable MFA. These are only generated once so you have to copy them or print them out before leaving the setup. I've done previous video tutorials showing how to setup a yubikey which explain this process in depth. (I'd also recommend setting up a second yubikey and storing it somewhere safe in case your main one gets lost or destroyed).

Backup keys and backups codes. If you want more info, I'm uploading videos about BOTH of these options in the coming weeks. Stay tuned!

Here, watch this video my friend Rachel did. She demoed how phishing would be blocked if the target uses a hardware key. kzbin.info/www/bejne/i6izfJKfmtmorsk&feature=share9

No we don't. The industry just need to use proper MFA practices.