Hey Josh, I just bought a yubikey5 but realized only the bigger websites like google and Facebook use the fido2 standard. Steam, epic games, etc don’t have this implemented and my password manager (Bitwarden) doesn’t allow me to set up a yubikey without premium. Are there any more popular services that use this?

laptop?

Awesome! Enjoy :)

YES! So glad you mentioned that. I didn't realize that was possible and I'm so glad to hear that.

I just did all this for Bank of America but it still offers me only sms auth to log in… I haven’t found anywhere I can delete that, the wrapper section now reads like it’s the yubikey only. Going to give them overnight in case they run some kind of early 2000’s chron job to reset that, but if that doesn’t work, it’s back into the suppor call queue 🙄

I was wondering about that as he was going throug the video. SIM swapping now making 2FA a high security risk and many organizations require it. Watching I was thinking what stops a SIM swapper from adding their own secutiy key. Trying to wrap my head around the security key to decide if it's the right choice for me. Now I am wondering if everybody allows to disable 2FA.

@@3weight Not sure Bank of America don't allow us to disable SMS either. Hopefully as time goes on passkeys will be the norm where sms is no longer needed.

@@Darkk6969 yeah, it’s so weird - the most important things I need to secure are my bank accounts and they don’t let me.

I know. Thankfully, I think that’s changing little by little.

Or they do but you cannot remove SMS. so it’s there like a backdoor into your account.

Your security is only as strong as your weakest form of 2FA, even if you’re using a security key.

@@AllThingsSecured Agreed but even if you do everything right you are always at the mercy of your vendor’s software. I did not name the company in my original post but I think now I was being overly cautious. It is Vanguard. They are like the security key poster child, but I quickly found it could not use the key on their app. I called and at first they too were shocked. That can’t be right. They researched and put me on hold and researched some more. Finally they conceded I was right and put in a request for an upgrade. That was a month ago. It might have been fixed by now. If so, then I am to thank apparently.

@@AllThingsSecured Unfortunately, that fact goes right over some people's heads ... :)

Yes, you can remove a key using either your primary or backup key.

@@AllThingsSecured Technically, one isn't a primary and the other a backup. They are, in essence, identical. You simply choose to physically carry one and use it while keeping the other in a secure location.

Hopefully others answer, but to my knowledge the best you can make of this bad situation is to try to use a Google Voice number for SMS from a well protected google account. Far from ideal, and some services will not allow GV, but it is at least a number not subject to SIM card attacks.

@@myr3434 that is actually a good idea. I'll give it a shot

Yea, I like the previous answer here. You can use a virtual number (not your primary number) for the SMS. Also, for some services like PayPal, you can remove your phone number SMS authentication once you've set up both an authenticator app and a security key/passkey.

@@AllThingsSecured Thank you both for the responses. This was driving me crazy.

@@AllThingsSecuredooh! Please show us how to do this for iPhone 🙏🏻😃

They’re extremely durable, but that’s why I always have a backup key or keep my backup phrase in a safe place.

@@AllThingsSecured Have more than one key. Setup authenticator app. Lots of options.

⁠@@AllThingsSecured Are you able to create a backup phrase equivalent to your Yubikey as a backup too?

No. There would be no way to compare.

I haven't yet, but I'm considering it. And yes, I do believe that you can use 1Password as a passkey for any account that allows for passkeys.

@@AllThingsSecuredyes please for iPhone also

I believe Apple only allows passkeys from iCloud keychain and nothing else so far. That might change in the future but you can keep checking.

Yes, you can. You either plug the key into your phone or take advantage of the NFC feature by tapping it on the back of the phone.

Start with the cheapest one to try it. Just be aware not all keys support the Yubikey authentication app, so if you want this, you will need a higher key. I have two basic keys (5NFC) and a 1 x lightening key which does support the app as my primary key, the other two are my backups.

No. 1Password or the Mac built-in Password app (or more like the platform-authenticator) also can act and look like a hardware security device to a website. So when you click the "Add new key" option, if it wants to add a FIDO2/WebAuthn key, then you'll have a native operating system popup which is going to let you select whether to actually use a hw device or use the built-in authenticator (which by the way probably uses the security element inside your computer/phone, so it is not inherently insecure, just physical theft aspects are not as good, not as "multiple-factor" since the theft and gaining access to that single device can compromise all factors at ocne. Also take into consideration, what options you have to recover your (TOTP) authenticator apps. That's a weak link. If lost PIN or password can be recovered with an SMS, or an account that is not 2FA protected (eg. your Google or iCloud), then compromising that recovery method let's an attacker retrieve your TOTP codes. So best not to put all the eggs in the same basket... For additional knowledge, a website can ask not to offer the built-in authenticator and rather require a real physical key (WebAuthn authenticatorAttachment="cross-platform").

Thanks for the suggestion!

​Same query ​@@AllThingsSecured bought 2 yubikeys (inspired by your vid) first one i used already and the other one is otw however I saw another vlogger recently where he set up his yubikey e.g. changed pin, PUK etc. Is it necessary to configure all this? Thanks man. Regards from Oz/NZ.🎉

Yubikeys are far stronger. Unless someone physically has your Yubikey, they can't use it. Passkeys are alternatives to passwords, but they can be copied and synced across devices. A Yubikey can not be copied.

they'd still need your password I guess?

Yes, they would still need your username and password. The idea of somebody trying to find and steal such a small key off of somebody hasn’t really been a thing, though.

@@AllThingsSecured Well unless you're watching a Hollywood feature film - lol!

Thanks for the idea!

Have you seen their tutorial? kzbin.info/www/bejne/hpapYYxupblqi7Msi=cGwonFwu8x1Bl6o4

Yes

I believe it depends on the service, but in my experience yes, the keys can be used from different locations. Simultaneously? Depends on what the service allows.

Same question

Same question too

It is recommended to have multiple of these on each account, that way you have backups. One key for example you keep on you at all times (on your keychain). Then at least 1 more in a secure place at home, or even multiple in different places at your house for example. If you lose them you can unassign it on your accounts. I have two keys for me and two for my wife. 1 on each of our keychains, 2 in secure places. All of them can be used on our accounts so if we lose one, we are covered.

Yes and yes

The TV app will require authentication via your phone, so if your phone has been logged in with a security key, you won’t have a problem.

I use Youbikey with my BitWarden account.

I believe that all of them do? I know for sure 1Password, Bitwarden, Proton Pass and Dashlane do.

No. You can use the key on unlimited accounts as a key for 2FA. If you use the Authenticator codes feature from the 5 series, I think they limit you to 32.

@@AllThingsSecured Thanks! The FAQ on YubiKey tells: "FIDO2 - the YubiKey 5 can hold up to 25 resident keys in its FIDO2 application." What are "resident keys" then?

I tested them and I like them, but I prefer the 5 series. The Bio doesn't have NFC (making it difficult to use with my iPhone) and it doesn't store authenticator codes.

I do have the mini that I keep in my laptop. Most people opt for the 5 series or Security series, so I’m just showing those in the video. It all works the same.

@@AllThingsSecured Thank you for your reply. Since that resolves the last question I had before making my choices, could you please confirm which links are your current links to enable me to place my orders with the no-cost commission to you?

Sorry for the late reply. I appreciate your desire to support. At this point it’s best to just go to their website or Amazon to purchase. No worries about commission 👍🏻

I’m not clear on all the details here, but using a YubiKey on older Macs is absolutely possible. Not sure why it’s not working for you, but I don’t think it’s the key + operating system.

I have used Yubikey 5C NFC keys on my iPhone 15 Pro without issue. No problem with the USB-C or NFC functionality.

There shouldn't be. It sound like something with the email provider (or app).

This is why I am skeptical of these keys.

It's not worth the effort. Hardware keys don't work for anything important and they are way to hard to setup.

Neither Amazon or eBay allow account holders to set up HARDWARE YubiKeys as a method of 2FA.

@@azclaimjumper Thanks, just trying to confirm what I suspected.

Yup, Amazon doesn't allow it.

Yea, it's a shame, but Amazon doesn't let you lock down your account with a physical 2FA key...yet.

Same thing I realised can't use the hardware yubikey as 2FA however, a workaround can be using the yubikey authenticator for the time being if it's not too much trouble for you I guess.

Same key for sure. But always have a backup.

The best procedure is setting the same accounts on both keys (unless a service only allow one key). Your second key will be a backup for the first one (so you need the same thing on both of them). This is my method.

What happens if I lose both keys, primary and back up?@@AllThingsSecured

As many as you want

@@anthony9013 thank you Anthony! :)

Yup…it’s unlimited.

Just log in once with the YubiKey on your phone and it won’t be required every day for login.

@@AllThingsSecured thank you!

Easy: Delete that ridiculous app and get your life back. Spend time with the family. Mow the lawn. Volunteer at a food bank. Anything is better than wasting your life on FB.

This is a passkey. You can save this to a device or to your YubiKey. It’s up to you.

I haven’t had any problems with it yet.

Hmm, I didn't know that, but it seems that you're right. That's a shame.

Absolutely. Doesn’t have to be the same key.

Definitely worth some research because honestly, I don't know the answer to your question!

No, the same two keys (my primary and backup) can be used for an unlimited number of websites/accounts. You only need to purchase 2 keys.

Thank you for your answer.

The Yubikey isn't app. It's a physical device. The Yubikey is a 2FA (two-factor authentication) method. Your phone app (e.g.., Authy, Microsoft Authenticator, Google Authenticator, etc.) is also a 2FA method. So is getting an OTP (one-time password) delivered via SMS (text). In order to use any particular 2FA method, the web site or application you're wanting to use it with must support it. Some do not support Yubikeys as 2FA methods. Bottom line, it's all up to whomever developed the web site or application.

@@bobbybarnes1652 I thought I can replace the authy with yupi key and the yupi key app for OTP. When my Phone broke, I found out how helpless I was. It would been cool to have a yubikey 2FA app in the yupi key. This is how I understood it. Thank You

No, you can add multiple 2FA security keys to your Google account.

Do you usually carry two car keys for the same care in case you misplace one? Same difference. You keep your backup key in a safe place.

Yea, a backup key is nothing more than a second YubiKey that is setup in the same way as the first. You can’t copy keys.

@@AllThingsSecured thank you

@@AllThingsSecured do these keys have expiry date? Do they fail ? What of they fail? Is there any option to recover accounts ? Let's just say both the keys failed, or stolen or something happened

No expiry. I’ve never had one fail personally nor heard of that happening. Regardless, that’s what a backup is for.

@@AllThingsSecured thank you

You use the backup key that you bought and configured at the same time you bought and configured your main key.

Yes, using a physical 2FA key to lock your Bitwarden account is an excellent security measure.

@@AllThingsSecured Finally! someone answers! Thank you! I wasn't sure if keeping everything in one nest was safe(which i get it isn't) but i had assumed having physical keys would make it safe, just wanted confirmation from someone who knows, Thank you! :)

That's how my BitWarden account is set up. I also had BW remember one of my Yubikeys with my home laptop, that way it doesn't ask me for my Yubikey. I only use my Yubikeys when I use a computer outside my home (ie work computer).

@@manny7886 thank you! :)

Correct. You have a primary (that you usually keep with you) and a backup (that you keep stored safely elsewhere in case something happens to the primary). The 2FA key is a second form of authentication beyond the passwords.

You don't use them together. You just set them both up, then keep one put away in a safe place. That way, if you damage or lose the one you carry with you, you can just grab the other one from the safe place and use it. Then, you can set up ANOTHER key and delete the damaged/lost key.

One can be put away in a safe place in case you lose the one you carry/use.

Yes, it can.

As long as you have some kind of backup, you can always log in and remove a key. That’s one reason it’s important to name them if you can so you remember which one to remove.

@@AllThingsSecured so if someone finds or steals your key and deletes all your other ones...

​@@erbalumkan369In most cases, they still need your ID and password in addition to the YubiKey.

@@erbalumkan369 They can't login to your accounts unless they have your login credentials (username/password) AND your Yubikey, so they can't delete anything. 2-factor authentication means they need TWO factors, not just one. ;) And you should have a backup key to get in to your accounts in case your main key is lost, stolen, or damaged.

It's possible to also add a PIN number to unlock the physical YubiKey before it will work. In the case of using Passkeys on the YubiKey, a PIN is required for that category of security on the physical key itself. So, yeah, you would have to have in your possession the Login Name, Password, Physical Yubikey, Possibly the correct authenticator app and possibly the PIN Number of the YubiKey itself to actually be able to login to one of your accounts. Sounds pretty darn secure to me.

So glad it was helpful!

It’s not an end-to-end encryption for you as a user, no. But that’s true of pretty much every social media platform.

Browsers were made to browse the internet. They were not designed to encrypt a password vault. That’s my opinion.

@@AllThingsSecured what do you use to store your password?

Bitwarden ​@@n.g.l.

That’s why you need a good backup. Carrying around keys for your car is cumbersome too…

If you only secure your accounts when they are convenient, you're a hack waiting to happen.

I know...hopefully someday!

Thank you!!🙏

You can remove the phone number after multiple keys are setup.

It depends on the service. The YubiKeys themselves aren’t named.

A PIN code through your phone number? I only had that at the start of the process.

@@AllThingsSecured No, a pin code for the key that has to be put in after the key is inserted. When the PIN is entered then the request is made to tap the key.

You are incorrect. LastPass was hacked. 1Password has not.

What?

Bad idea... Any authentication tied to your mobile number means you don't really own or control it. YubiKeys allow you to own your authentication, and it's beyond the control of the phone company.

@@JM.TheComposer Many website logins do not support anything but a mobile passcode... thus keeping your cell phone account as secure as possible from SIM-jacking etc is critical... If your cell phone company supports it, you should use yubikey on your cell phone account MFA. Unfortunately most carriers do not support it.

How so?

You'll never know...

Sorry to disappoint you. Sometimes you get stuck with a service and you have to use what they give you. Thankfully, Vanguard does allow you to remove your phone number after you set up two security keys.