I think you saved me. No way this was getting done without your video. Much appreciated!

If you use Linux Mint you need to edit the lightdm file as Linux Mint doesn't use gdm-password. Just follow the same method for making the change and it will work the exact same way. I have been looking for a guide to Yubikeys for over a year. How did I miss this back in April? I love this channel! Subscribed.

Thanks for going to all the trouble of making such a thorough Yubikey primer. You ROCK my friend!!

I've just subscribed & rang the notification bell. I've read all the replies up to this point. I, like most everyone else, wish there was no background music. I've successfully "Smart-Cart Enabled" both of my YubiKeys to both of my Macs. The only way I can log into either computer is with my YubiKey/PIN. Login passwords no longer work. It should be mentioned that High Sierra OS 10.13 is the oldest Mac OS that can be configured to use YubiKeys. Warm Regards from Reno, Nevada

Great video on the yubikey, thanks for making it. I could do without the background music though, it's too loud.

An additional application for these is PGP encrypted emails. You can load in your private key stubs and then when you send an encrypted email you just touch the key for the email to be encrypted and signed with your private key. The trick is finding other people who are first of all nerdy enough, and second of all wise enough, to use PGP. I only know one person - me - and so I can only send encrypted emails to myself. But it's a very agreeable secret conversation.

One of the most complete YubiKey videos I've seen!

Great video! I just would like to give my point of view as a user and also describe how I use my Yubikeys (not as you does). I use Yubikeys, but the implantation of FIDO2 is lacking mon many websites, and sometimes you can only register one key... I hope the situation will improve in the future. So, about the Yubikey 5 (the on that I use) OTP have a limit of 20 or 25, so if you have more them that you have to mange multiple Yubikey or really on tiger solutions. About the biometric Yubikey serie 5 potential user have to consider the longevity and reliability of the fingerprint reader, personally it's a concern for me maybe not for other people. About my usage, I love the opengpg support of the Serie 5, generating your master keys and sub keys with a expriation date, and burning the subkeys on your Yubikeys. The private subkeys are on your Yubikeys, and the private master key never touch a online computer and is store and backup in different and secure places. Private subkeys can't be extract (beside some exploit...) You can configure your key as you want, for example can set a pasword, requiring the user to touch physically your key, set the number of try before the Yubikey destroy you subkeys. Opengpg is very flexible, You can use this for a password manager, for encryp email, files, to log on you server using ssh ( SSH using opengpg is more convenient for me , the technique use in the video require openssh 8.2.. this version isn't yet on every LTS distro since it's quite recent. But FIDO2 is a more secure it's a fact) I like the fact that I use one public key for everything, that the key never leave my Yubikeys but that I have the master key and that I can switch of other device or tools in the future that supports opengpg. So my advice, chose your Yubikey accordingly to you need, and don't forget to setup you Yubikey, for sensitive use case setup your Yubikey in a airgape PC using a live distro like Tails who supports Yubikey out of the box. Keep in mind that if you don't manage your keys, someone else does it for you..

Thanks for the video. What was missing is a backup strategy.

Just recieved the cheaper security key series ( blue one) and it does support NFC. I tested it with my phone. I also think it supports OTP. See the wifi symbol on the key.

The Best intro and workarounds about Yubikey!

The background music volume changing is kinda jarring. I think it would be better if lower volume and consistent.

Thank you for making the Mac login with Yubikey so easy to follow.

Great video. Informative and clear as always. I see plenty of feedback on the background music, but just one additional suggestion: Consider testing the background music at different playback speeds ahead of time. For those of us who listen on fast playback, some music/tempos develop strange artifacts and become extra distracting at faster playback speed, which might contribute to why some found the music more distracting.

I've done a little more investigation and going to /etc/pam.d and changing common-auth seems to cover all the login methods at once. Changing the individual files gives finer grained control but for a change that should be ubiquitous common-auth is probably a better place. I don't do ssh so I didn't test that. If you do decide to change common-auth you will probably want to back out the changes to the specific files such as login, unless you like pressing the Yubikey more than once.

I'd like to hear / see more elaborations on the various aspects of the yubico, like what are those slots that you where mentioning @27:26?

Gday Jay, firstly I love your content👍🏻 You explain things simple and very easy to follow along. In regards to Yubikey, would you consider doing a tutorial install for Fedora? I have had no luck as the documentation is not easy to follow (for me anyway) or it’s not up to date. Thanks again for your work. 👍🏻

When logging in to your OS, why do you have to supply a password when using Yubikey? I thought Yubikey eliminated passwords? Thanks!!

I finally broke down and bought one. Re-watching this to see what I need to do to get this working. Of course this is the first place I go. 😀

Probably best Yubikey overview I've found, and I've been reviewing quite a bit of different instructional material. So, thank you for this. Would be great if you can also create a Yubikey - Veracrypt instructional video as well.

Thanks

Although it doesn't carry the certifications of the HSM, the YubiKey 5 series can also act as a HSM, storing private keys in a way that can't be retrieved (so the YubiKey itself signs certificates, for example). SmallStep use this capability to build a Raspberry Pi-based local certificate authority.

Apparently the name has two sources: 1) "Your UBIquitous KEY" and 2) Japanese word "yubi" (指 'finger') to represent touching your YubiKey with your finger to verify your physical present.

Thanks!

You have the same Edifier spears that I have, though mine not on desk. Use connected to my echo to play Amazon music, for house speakers. Love these speakers.

Superb guide!

This was a great video for setting up the Yubikey, however, what is the process to add your backup key(s) to each system?? Do they not have to be somehow sync'd to each computer individually as well? Secondly, I have major hearing issues and I would appreciate it if you discontinued ANY background music in videos, your videos are great learning tools and the music makes it almost impossible for me to actually make out what you are saying. Thank you

Great video but the music in the background is too distracting

Thanks for the video, will those commands work on redhat or CentOS? If not can you include the required commands?

Great video. No complaints here.

Why the music? It is too loud and a big distraction. At times, the loud music was in the foreground and your instructions were in the background. I even tried skipping ahead to avoid the music, but the distracting music did not stop.

I just found about yubikeys through Tom's video... Did not give this a thought before since using an app to do the 2FA.. Going to order one and a backup one asap.. Seems invaluable these days! Thansk alot of this great video, very well explained!

Really awesome video. You produce good content; it was very helpful

11:48 Doesn't this mean that if the device is plugged in to your PC anyone can login (because it does not have biometrics) or do you still have the password entry?? Edit: 21:37 I see now you have a pin to remember instead of a password.

Great session!!! Thanks found value

Dunno why but I got the automatic pairing message. Btw thank you for a video - so good and so informative.

How can you add RFID/NFC to a PC that doesn't have it? I am just about to add Yubikey to my systems and I have a NFC Yubikey for use with my Android phone and would like to use use NFC on my desktop as well. I also agree with others about the background music and it's default volume. Also are the step for installing Yubikey on MS Windows the same for both Win10 & Win11?

Thanks for the Yubi-Key walk through. Is that a System 76 w/ Threadripper in the background?

I wonder if this works on a linux laptop when you have disk-encryption. Would it work than, get you to the encryption passhrase and from there login with the key? As prior to that it wouldn't be able to read the /home. Wonder if it interferes though or just works as well. For online accounts it's recommended to have at least 2 keys. How to deal with that when you use it for login? Nice video though!

Hi Jay, great video! Does openSSH with Fido2 work with nested ssh sessions? For instance, I usually ssh from my windows machine into my Pop-OS VM, and from there I can run tmux and SSH into my other linux servers.

Very good tutorial !!! One question: where is the link to the blog post with the commands? I went to link you wrote on description but the blog post contains only the video .

Just bought one the other day. Great video. Thanks! 👍❤️

Thanks Jay, this video is a big help! Just wondering... Do we need to setup PIN, PUK and Management Key for each additional Yubikey we want to use as backup? Thx 🙂

Mr. Jay, This is just an idea for a future video. I would like to see someone deep-dive into the new LXQt 1.1 vs LXDE. What would be the reasons to continue to use LXDE ? Where does each excel in 2022 ? What are some of the major problems with either ? Is there any reason to use either on a new computer ? What would be the difference between using LXQt, and just configuring a KDE Plasma session to use less resources ? What are you giving up in LXQt vs. KDE ?

Wait, isn't it yesterdays video?

At 27:34, The computer doesn't detect my Yubikey, does anyone know why? Running Windows Got Yubikey 5 NFC Also my NFC when it ap it on a phone doesn't work? The personalization program finds it, but OTP is greyed out? Can anyone help me? Has anyone else been through the same programs?

Great video, plan to play with my metal install of Ubuntu soon. Is there a way to make a Yubikey work on a Proxmox Ubuntu VM? I can't seem to figure out how ro forward the port USB w Yubikey to VM....

Regarding the last segment for SSH: How do I add a second Yubikey?

Good job, but additional questions: how to use Yubikey Bio for Linux login & how to save more than one key on a linux machine

Nice work, Jay. What happens on a Windows desktop if you use a Microsoft account to log in to it? Also, I administer linux servers using Putty for my ssh connection. Can Yubikey help in that use case?

It is weird Jay added background music in this one. His other videos do not have it.

Hello Jay. Many thanks for a great video on setting up YubiKey. Just noticed at 39:17 where you create the SSH keypair you have a typo in your command. The keys where created however, the date subshell included a ')' in the name. Command should be: ssh-keygen -t ed25519-sk -C "$(hostname)-$(date +'%d-%m-%Y')-yubikey1"

Is there any risk on windows or mac of the program being deleted would it affect logging in? Or does it revert to old standard password. 1 thing you can do in mac is in settings make it so you have to allow USB devices. So a prompt comes up before it can be used.

For some future person having problems setting this up for a Debian device (Raspi 4 in my case): if you can't login after setting this up this will likely be due to a PAM Module error (at leas this was for me, you can check by ooening a second terminal and trying to ssh in. After that check the debug by typing in "sudo journal -u ssh -e). If thats the case edit the /etc/pam.d/sshd file and delete the key=.... part and replace it with "debug". This is the right way according to the recent documentations.

Is there a risk to carrying a yubikey with you along with your phone? Eg could it allow access to the phone? That worries me when I see videos on KZbin such as Payette Forward

2:48 after very long intro... What is a Yubikey?

For the implementation of FIDO2 for OpenSSH, how is it possible to use two different Yubikeys? If one yubikey is lost, there would be a backup for login.

Thank you for the in-depth video. Unfortunately, I have yet to start setting mine up because the directions do not match what I see on my end. I purchased two 5ci that are useless to me because I can't find directions that match my laptop setup, and the downloads do not do anything on my phone. I am running all up-to-date current software on both relatively new devices. I wish I could just pay someone to help me. Better than being out $150 for nothing. 😭😡

Hi Jay please can you do a video how to setup pam_passwdqc from source code on Debian?

For the setting of the yubikey pin, What if all we have is an iphone, No desktop ?

I have two keys. Is it a bad idea to use the same PINs for both keys, say when setting up PIV? My thinking is these should be clones, correct?

What if in the descriptions it says it can act as FIDO ASM may access authentication devices, create & delete FIDO registrations on behalf of other apps?! Is this good or bad???

Is the process for setting up a Yubikey and a backup Yubikey at the same time different?

Are you able to use your local Yubikey to do sudo on the remote server?

Nice nice! Does YubiKey work with Metamask, can we secure it with it!?

how can a product profess to do away with passwords when it is inly supported by a handfull of platforms, most of which Inhave never used and never heard of

Great video but the music is WAY TO LOUD!

Is there a version of this video without the background music?

Ok Thanks Jay i will subscribe now ... hold on .... ey voila. I use Linux Mnit Desktop Dell 390. I have a love hate relation with the cli. I did install the Yubi authenticator via the app image and the manager. Then i started copying your commands and this went ok untill i hit the command: sudo nano /etc/pam.d/gdm-password. This file is empty on my system and in Jays example it is not, here it stops for me. When i want to use a sudo command i do have to touch the key. So i did something good, but after a reboot the desktop just boots up and starts and logs in without me asking anything. I need to find out why my gdm password file is empty. And to be fair it is a lot of work just getting the key on all my devices, phones, tablets, windows pc, linux laptop and pc, the power macs, the G5 ' s ..... For al the weiners about the music ..... if you can do any better then jay then bring it on. It is so easy to cry and point, ppl should realise that making any kind of tutorial written or filmed is really hard to do.

I'm pretty new to Linux but have 25+ years of Win support, I was able to complete this and it worked great when logging out and testing but then I restarted the laptop and I couldn't log back in, it kept saying password was incorrect. Had to restore from snapshot from yesterday. Any ideas what could have happened, running Mint 21.3 cinnamon and had recently updated the kernel to 5.15.0-102.112. all is good after the restore but I wanted this to work and I'd love to understand how to get it to stay working. I also had to use the fix from the comment that says to edit the lightdm file as Linux Mint doesn't use gdm-password and that worked.. thanks

Question - In your opinion, what's the privacy implications of this? Because surely if the key has its own unique ID & is registered across all these platforms, you're basically (through the use of this key across all of your accounts) constructing your own digital identity for big tech... banking apps, online shopping, social media - the lot. This key being the concrete proof. Perhaps why all these corporate giants (especially Google) partnered up?? Are they sharing data about this stuff?? Correct me if I'm wrong, but I'm skeptical... sounds like data harvesting/ method of knitting your accounts together, that's being marketed as 'security'. Similar to what they did with cars - keyless entry was marketed as a 'safety feature'... until it was abused by criminals. Thoughts?

I'm a novice at this. Is there any key or device that enables complete lockdown of a PC -- not just a lockdown of user accounts?

very useful on everything

Hi Jay: Question for you. I followed your instructions to set up Yubikey with local macOS user account. It works to unlock using the Yubikey code when the key is plugged in the USB C as you demonstrated. However when the key is not plugged in, it does not prompt me to insert the Yubikey to complete the log in process. It's just using my Macbook log in. Am I supposed to disable my Macbook log in? Kindly advise...

Thank you, i was wondering if you can run an ansible playbook against a yubikey configured host? It gets hung at the beginning and I don't know how to make it prompt for a yubikey password?

how do we integrate with SSL , great if you can showcase

I bought mine today, got it home and... nothing. No lights come on when I plug it in and I have tried on multiple devices. Checked every setting. Looks like mine was faulty. I've already spoke to the store and I'm good for an exchange. Hopefully, the next one works fine.

Can you use the key with multiple devices?

Would I be about to use a Security Key C NFC The YubiKey 5 C NFC to create passkeys for my APPs and Websites? Or do I need to get The YubiKey 5 C NFC. What would be the reason way I would want to get The YubiKey 5 C NFC over the Security Key C NFC

Fun fact... adding "cue" to the end of the auth line gives you a prompt to "Please touch the device." _auth required pam___u2f.so__ cue_

This video is only 9 months old but your Yubikey Windows GUI isn't at all like mine that I just downloaded and installed from Yubikey. I guess they revamped the GUI since you posted this.

what exactly is the change management key? I mean if I have 2 yubikey can I copy the management key of the first yubikey to my 2nd? if so .. what will happen? for what purpose is the management key exactly? is this the key to somehow clone the other one?

If someone forgets the yobico device then what step can we take ???? Plz answer

I know there is another method for SSH by YubiKey is via OpenPGP. Any tips for that? I have been screwed up on that

To find your username in windows run cmd (Winkey = r)(type cmd in the run box) and type whoami in the cmd window

A really good informative video but the music choice is distracting, too loud and not sure why its there.

Can you compare this to the solokey v2 next?

usb to micro usb adapter for smartphone can i use this key on galaxy s20?

How would you access your account of you only had one key and it breaks or lose it ? Like 1 password says click cancell then enter for. Authenticator app. What would be the point in having a yubi key at that point.

Great video. However, many of the Security Key series have NFC capability. This is clear on the Amazon listing.

Thanks for the great instructions!

Does YubiKeys work with ARM PC's?

What's the Best yubikey 5 NFC or yubikey NFC?

excuse me please but how come in your set up you only set up a piv pin what about the fido2 pin thanks

Hi there. How do I configure yubikey on mac so it will allow another local user to login to MAC

Is there a way to set the Yubikey to factory defaults?

What were the 3 pins for?

Have you ever listened to your videos before airing them, DH. Maybe you should try that once!

Why I have never seen anyone use it on desktop PC????? and btw does it work for that

For some reason the login with the yubikey doesn't work in Linux mint if it's after a reboot or a system shutdown, i followed all the steps and i can't figure out what have i done wrong. Do you have any suggestions? I'm using mint 21 xfce