Thank You For Your Content ❤ you put so many videos which help people learn also I Brought 2 Yubikeys about one year ago love them I fell much safer the best 2FA method easy and secure

Strong, I forget my passwords and passkey save me I just need to use my fingerprint

@@AllThingsSecured honestly, I use both. Passkey for my mobile device. This is preferred. I also use MFA and all services I use too, should an attacker choose to use a password login they would still need an MFA code.

Pass keys are far better than a password with 2FA. However, with software passkeys, there’s always a compromise for convenience. Hardfobs are by far the most secure.

Haha! Yea, I’m learning that.

The video feels like it slows down

I don't think it's KZbin that's the problem LOL.

Why is that? Can anyone explain it?

@@user-bo4uc3el5t the video compression algorithms try to limit the amount of data transferred (bandiwidth), it seems they can't deal well with the amount of details on the shirt, then instead of reducing detail they prefer to reduce the amount of frames, or something like that

In some respects, yes. But there is added security if YOU as a user only use the passkey. It protects against phishing and it's not susceptible to keyloggers or other MITM attacks.

@@AllThingsSecured ah, good point. If that password is unique, safely guarded, and never used, then a user can enjoy the benefits of a passkey and just reserve that password as a last resort method.

That’s why for accounts like that - where someone can cost you money - use a password manager like 1Password to create an incredibly complex password and enable 2FA.

I should add that most sites are reticent to remove password authentication since passkeys are so unknown to most users. Once they become more accepted, I would expect password logins to be removed for new accounts and then ultimately for legacy accounts. That - of course - will take quite some time. All major changes do.

@@AllThingsSecured AITM

Yea, passkey use is limited, but using it as a 2FA key is very useful!

The advice in the video is on point for this: use the keys only for the most sensitive accounts, and you’ll find that these services are often the most mature as well. One thing the video didn’t mention: keep a record of which accounts you set them up on, because on the day you lose the main key, you’ll want to order a new one and set it up on these same accounts again (and revoke the lost key too)

​@@GuillaumeRossolinithat's the reason to have 2 of them. One you use and one stored in a safe place as a backup.

@@artos6209 no, I’m well aware and I was actually pointing out what happens when you lose one of the two keys

Always

I agree, but I think they're going to be slow to do that for a number of reasons.

They'll still need a mechanism for you to gain access if you lose your passkey.

@@Toramt they can add a feature to unlock password authentication by sending sms with OTP to your phone and then after you're verified you can enter your password.

They will give you contempt charges if you don't in some cases but if you have something that important than setting it to destroy itself is better

If you can, I would advise that you do.

Because text messages is the main vector for SIM cloning. I would suggest if you can use your Yubikey everywhere you can

Yea, sorry about the dropped frame rates. It’s a new piece in my studio and I’m working on it. Thanks for your understanding.

I'm watching this on my work computer and the FPS get me thinking "Is this laptop really that bad?" lol

Glad it was helpful!

It's really sad that he said some only allowed syncable passkeys.

Glad to hear it. 👍🏻

Ha! Yea, you’re not alone, nor are you stupid 😂

Thanks for the questions, Michael. Yes, you can create single-device passkeys using your phone and that would be about the same as a Yubikey. The difference is that the phone is connected to the internet at all times while a Yubikey is not. And no, I don’t think this threatens Yubico. In fact, they helped develop the FIDO2 standard. Their key is just one of many ways that you can do 2FA or passkeys. Make sense?

the more widespread these technologies are, they might sell less percentage wise, but the market itself will be many many times larger

I agree, and despite the title, I tried my best to explain that in the video.

"the only gaming publisher that introduced passkeys in a way that it invalidates password and 2FA. You want to remove the passkey, you need to set up a new password and 2FA." That's the way it ought to be on every website, starting with all financial websites, but so far I don't see any groups or individuals strongly advocating for that position.

Sorry you didn't like the title. Saying "The implementation of passkeys suck" just didn't have the same ring to it.

@@AllThingsSecured your channel, your title 🙂 If the goal is convincing people to adopt passkeys and I read "passkeys suck", I think we're giving the wrong message. Keep up the good work

A title on a KZbin video has a truth to it, but also a bit clickbaity ? Say it ain't so ! 🙂

Interesting…which ones?

You're welcome, Darryl!

I tried to answer that toward the latter half of the video. It depends on the sensitivity of the login. For me, the Yubikey is the ultimate form of security, so it gets used for the most sensitive logins.

Losing a passkey isn’t terrible as long as you have a backup. In that case yes, you can go in, revoke the old passkey and create a new one.

👍🏻👍🏻

I forgot to say that I also set up alerts for my important/most important accounts so I get notified of activities on those accounts. Is all this a guarantee? No, but it is IMHO the best way to go at this time. I’ll check out passkeys sometime in the future when the Google/Microsoft/Technology industry has them better worked out and far more ubiquitous.

Certain security devices that you plug in do have that option. You’re mainly looking for anything that implements the U2F standard, not just Yubikey (though they may have one, too). The benefit of a physical device is that the keys are not syncable. They cannot be copied, even if an attacker gets a hold of your computer. With most software-based implementations, a skilled attacker could bypass any biometric authentication you have. Biometrics are a fuzzy-matching logic, which means they can’t be used to decrypt data as they are not a definitive key of finite variations. Something like a Yubikey can get away with this by making custom ICs that do not provide any exposed method of accessing persistent memory. To bypass that, you’d have to de-lid the chip and analyze it under a microscope, and be able to decipher what’s happening at the electrical level

Yea, I don’t think I’ve appreciated how important consumer packaging and user experience play a role in security standard adoption.

they still cannot get past the physical key, change pw/un all they want, the physical key stops them dead in their tracks.

@@russmarano3802 you seem to be under the impression that every single account/website on the internet supports 2fa keys. This is simply not true, most sites still do not even have basic 2fa let b alone physical keys. And yet you can get past logins that have this, it happens every day. You should watch some of these hacking videos on here and see how they do it.

Greetings to you as well!

I guess that depends on you. People assume it’s safer than with 1Password, but I would actually trust the security practices of 1Password more than an individuals.

You’re welcome 😉

It depends on how you've set it up, I guess. If the passkeys are bound to that single device and they aren't syncing, then you have your answer.

@@AllThingsSecured Ok, makes sense. But I am trying to think of a case where syncing with passkeys occurs in the context of Android phones. I think with Windows Hello as well, you're creating a passkey for just that computer. I have never owned an Apple phone, so I don't have any experience with them.

You are correct. I think I said in the video that every website implements it differently.

I think email address is fine, I can see how the flow of a login would be easier to build for many existing websites. The email address can also be a simple auto-fill by the browser anyway.

I appreciate the feedback but would need something a lot more coherent as a response in order to take you seriously.

Yikes you seem to be the type resistant to criticism. Wouldn't wanna take security advice from someone like this. Unsubsrcribed.

@@AmirIskandar Most people accept criticism if formulated coherently. But most people also struggle to explain concepts or opinions. You stated an opinion but refused to explain it. Who's fault is that?

While technically syncable passkeys are the same as single device passkeys, security wise they are different. With single device passkeys, there's no password manager account to crack to get a hold of a password- they need physical access to your device (phone, computer, yubikey, whatever) With syncable passkeys, the password manager account you saved it in, becomes an additional attack vector. But yes syncable passkeys, single device passkeys and yubikeys are all the same thing

When you control the service, you can do that!

No, it’s my fault on skipped frames due to some new equipment. It’s a one-time event.

You can either plug it into the USB-C slot or the Yubikey 5 series also allows for NFC (which is just tapping the key on the phone to use).

Sorry to hear that

You bet!

Agreed.

Same as losing a key to a padlock. Which is WHY you want to buy TWO Yubikeys, same as getting 2 keys when you buy a padlock.

Yes, what @azclaimjumper said.

Use your back up to login and remove the lost key from the account

buy two or none

So I looked around turns out the limits, for websites, etc. specifically, is on: Discoverable Credentials / Resident Keys, which is the part you talked about how services don't offer it (you still need to specify the username), so their is actually a reason for it. Having to enter your email address (maybe auto-fill-in by the browser) and so bad and makes it easier to implement the flow for a website, maybe. Also means you aren't running into limits on your Yubikey (25).

The others are, unlimited, so that does also mean they use an algorithm to calculate the private key per website, based on a single private key: pk=(hash (lowercase (website-domain))+single private key) or similar, probably fine, but it does mean it doesn't generate a completely standalone private key per website.

Look at the Token2 Swiss company's products - they have a lot more slots than Yubikeys.

I don't think so, although I'm not sure I understand the concern completely.

Please explain the question, because it's not clear what you meant

Thanks for the comment. Amazon may not be the best example, but Google wasn’t too much better in my experience. I find it interesting that you think I’m saying all this to push Yankees seeing as you can use the physical keys whether you use 2FA or passkeys. And if you decide to use 1Password or iCloud instead…great! As for “normal users,” I think that’s a cop out and underestimates what people are motivated to do now. Everything starts off with early adopter, but 2FA keys are far, far beyond that stage. I prefer to treat my audience as if they’re intelligent.

You do realize that there is no one “passkey”, right? You create a unique passkey for each login that allows it.

You don't have to use biometrics. You can use a long alphanumeric PIN instead, and/or a security key that is locked with a long alphanumeric PIN. They talk about passkeys and biometrics together because they know that biometrics are more convenient, and a lot of people care more about convenience than security in the online world (look up "most popular passwords 2024" for proof).

Think they are available in USB A & C also in a version that has NFC support for phone that are so equipped. Not sure if the USB C version will work on a phone through the USB port or not though.

Yes, that’s part of what makes them so useful: they work on any device that as a USB port or NFC capabilities (most laptops, tablets and phones nowadays).

How in the world is AI going to break security measures?

@@AllThingsSecured A good question? I asked ChatGPT and this was the answer. Cracking a YubiKey or any hardware-based authentication device is generally difficult due to its design and the security protocols it employs. However, if AI were to be used in an attempt to bypass or crack the security of a YubiKey, it might be applied in the following speculative ways: ### 1. **Social Engineering Attacks** - **Phishing**: AI could be used to craft highly convincing phishing emails or messages to trick users into divulging their OTPs or other authentication credentials. - **Deepfake Technology**: AI could generate deepfake audio or video to impersonate trusted individuals, convincing users to reveal security details or grant access. ### 2. **Brute-Force Attack Automation** - **Pattern Recognition**: AI could analyze patterns in user behavior, potentially predicting OTP sequences or other elements based on data from compromised systems. However, YubiKey’s security is specifically designed to resist such attacks. - **Enhanced Brute Force**: AI might assist in a brute-force attack by rapidly testing different combinations more efficiently, but given the limited number of attempts before the key locks or resets, this approach would likely be ineffective. ### 3. **Bypassing or Exploiting Software Vulnerabilities** - **Zero-Day Exploits**: AI could assist in finding vulnerabilities in the software that interfaces with YubiKey, potentially identifying flaws that could be exploited to bypass authentication. - **Behavioral Analysis**: AI might monitor and learn from the interactions between the YubiKey and software, identifying potential weaknesses or patterns that could be exploited. ### 4. **Physical Security and Side-Channel Attacks** - **Side-Channel Analysis**: AI could be used to analyze side-channel data (like electromagnetic emissions or power consumption patterns) to infer sensitive information during the authentication process. - **Physical Access Exploits**: AI could potentially assist in analyzing and automating physical attack methods (such as tampering with the device itself), though this would require access to the hardware and is more of a security research area than a realistic threat. ### 5. **Automation of Data Collection** - **Data Mining**: AI could automate the collection of large-scale data across platforms to find potential weaknesses or to cross-reference with known vulnerabilities related to YubiKey's implementation. - **User Behavior Analysis**: AI could analyze user behavior over time to predict when they are most likely to use the YubiKey, potentially helping in timing other forms of attacks. ### Limitations - **YubiKey’s Design**: The YubiKey is designed with strong security protocols, including physical presence requirements (e.g., touching the device), making it highly resistant to remote attacks. - **U2F and FIDO2 Security**: These protocols are built to protect against phishing, man-in-the-middle attacks, and other common threats, which limits the effectiveness of many AI-driven attacks. ### Conclusion While AI can theoretically assist in attempts to crack a YubiKey, the security architecture and protocols of such devices are specifically designed to resist these kinds of attacks. Most real-world attempts would likely focus on social engineering or exploiting vulnerabilities in the broader ecosystem (software or user practices) rather than directly attacking the YubiKey itself.

I think the weakest link is still the human, so using AI to mislead the human is going to be very common. That said: 1 of the big advantages of passkey is that every site has gets it's own keypair and thus you can't be mislead to authenticate to a fake site, this helps a bunch because that greatly reduces the number of possible misleading attacks.

AI is not in a position to crack secure codes, and won't be for many years, if ever. Nothing to worry about at the moment.

I be working online

You have to set up a 2FA Authenticator first.

Yea, I realize that now.

That’s part of the point - you can’t. And that has nothing to do with Yubikey, that’s all about how the different banks and services implement their login security.

@@AllThingsSecured I'm not criticizing Yubikey. I bought 3 of them. I'm just still baffled as to how I/we can use them to protect financial accounts like those mentioned from the most common form of interception.

@@utuber1000 it's simple, change your bank to one that lives in the 21st century. My condolences to my fellow Americans, who have to deal with these backwards companies.

I mentioned both Apple and Microsoft.

You’re funny. It’s really better to actually watch the video and then comment, then you’d know that passkeys and 2FA keys aren’t mutually exclusive.

I completely migrated 2fa to 1pw also use it for passkeys, ssh keys and all logins, has cli support and clients nearly everywhere

Ugh...so sorry Doug. I hate reconfiguring 2FA.

ente auth

Yea, I was frustrated as well.

I don’t think you watched the video. A passkey can be done easily for free, which invalidates your given concern completely.

@@AllThingsSecured I did watch the video all the way through. I priced a couple models of Yubikeys and two of them would be ~$200 ish. I'm skeptical of anything free. It's usually worth what you paid for it. As for putting my passwords into Apple or Googles care (shudder) I would never go there.

RSA Securid? Massively successful company, widely used in the corporate world. Not sure about the stock, but the product was/is sound.

I’m not sure I follow your logic here.

@@AllThingsSecured Network effects bro. Google it. As in your video (I think it was yours not another channel) even Google doesn't support Ubikey 100%. Bye.

What about 2FA?

Kind of. I think that's part of the problem, though - if you consider that a passkey (which isn't based on the FIDO 2 standard), then you just add confusion to the conversation.

Thanks! 🙏

Glad you enjoyed it!

That's beyond my control, sorry.

They don’t translate it in the comments because the Channelname isn’t shown there anymore since it now shows handles. (The thing with the @ in front of the name.) Since the purpose of these handles is to be able to use it as a link to the channel they can’t translate it.

Thank you, I know it's not under your control. It's a stupidity anyway, that a link 'AllThingsSecured' points to an accout 'Alles gesichert', who's real name ist 'AllThingsSecured'...😅

@@Huskyzeit I think the YT Developers haven’t really thought about that themselves. But funfact, on my home feed where I discovered this video the channel was shown as all things secured but only after clicking on the video Alles Gesichert was shown.

That shouldn't be the case. Passkeys require some kind of authentication, whether biometrics or a known password/PIN.

You'd have to rescan fingerprint or face id when attempting to use the passkey

As if video quality & fps is the main point here. Lol thx for the laugh 😅

@@yt_n-c0de-r It absolutely is. Hard to watch duh. Would you watch a movie that is jittery… absolutely not. SMH

@@tonyo.4226 In a movie quality of certain degree is key to the medium, a visual one. (Do I need to explain the words one by one?) Comparing this to a movie is like... I don't know, never heard such comparison that have vastly different goals XD Here, it's more like an essay. This could have been easily just a sound clip in a podcast. Visuals, aside from a few explanatory inforgraphs where framerate is so not relevant, just don't matter in these formats. But it still gives me a smile^^

There are keys with nfc, meaning you can scan the key to login.

Why not? Depending on your phone you should get a USB-C or lightning version of a yubikey. I happen to use both. And in some situations you might even be able to use the NFC version.

Most phones now have the USC-C standard, so you can plug it in. Or you can use the NFC capabilities to tap on the phone.

Yubikeys come in different flavours - usb-a, usb-c and nfc or a combination of those. Choose an nfc capable model if you want to use it against a phone, or use a usb-c version.

@@RobbyPedrica thank you I’ll check it out 🙂

Thanks for the judgement. Did you at least watch the video to understand my complaints or are you simply commenting on a video because you do t like the title?