I wish she would have included Aegis.

Raivo OTP is also great and open source

I used Aegis in the past but that unfortunately is tied to android phones only. I ordered a yubikey 5 nfc to be independent by authenticator apps

I use 2FSA. I'm happy with it.

Aegis is amazing

Doesn’t mean the are the best… or even good

@@MaxMustermann-vy7ur Agreed.

Great question, but I notice there seems to be very little to almost zero Microsoft related content in any of the videos for some reason.

Microsoft, lol.

quick tip: if you're storing your passwords in bitwarden, avoid storing your 2fa codes there too, especially for important accounts. you do gain security if the password itself is compromised, but if your bitwarden vault is compromised (eg by someone using your computer while the extension is unlocked), so are *any and all* of your accounts at that point. by keeping your 2fa codes separate from your passwords, you reduce risk of either one being compromised, even if it's a little less convenient at login time. I would always suggest keeping them on your phone, protected by biometrics and a different PIN/password (if someone tries to add their face to face id on an iphone using your unlock PIN, the 2fa app will then reject biometrics require its own to be used again - so that's still safe behind biometrics)

Google Authentificator is just bad …

So I can't use a Yubi with google Authenticator?

@@rainerrain9689 correct

@@JAM35_ Well that's not good ,so now I have to find a video on how to transfer all my accounts to Authy which does,am I correct ?

@@rainerrain9689 are you using google authenticator now? If so, you'll have to generate all new keys for everything, because google won't let you switch from google authenticator.

I agree. Authy has a reasonable set of additional safeguards which makes its cloud function more secure. That’s why I chose it as well.

I was in the same place til I moved to a password app that incorporates an OTP generator and passkey functionality. There's argument to be made for separating the password and MFA - but then, i protect my password app with my Yubi ;)

@@The_Nixie I'm not sure I can trust myself to not lose a YubiKey, so if I get one it'll just be for convenience at my pc, and I'll still have my Authenticator app set up as well. Also if you lose your passwords you also lose all your 2FA at the same time if you have them together. I always have my backup codes and 2FA separate, and if I ever move over to a password manager, I'll have that separate too. Way less hassle if I have to undergo mass account recovery. With Passkeys, I'm waiting until Apple implements Stolen Device Protection before setting up any passkeys so that anyone who has my device passcode, e.g. a family member, can't just use my device passcode to access my accounts.

@@Damariobros all true. I generally have multiple yubis + an auth app (for occasions when I don't have Yubi handy) - but no matter how you do it, your comment exemplifies why there should *always be more than one key to any lock. :)

They are sunsetting the desktop app in a few days. Major disadvantage. No idea why are they are doing that. Very inconvenient.

What app is that in the iOS App Store can’t find it

I searched “2FAS” in the IoS App Store and it came up as the second choice (1st non sponsored) labeled “2FA Authenticator (2FAS)”

@@AlmightyShadoe "2FA Authenticator"

I noticed that too!

I have two Yubikeys. One lives on my key ring (with my car key) so it is always in my presence, the other on a lanyard that hangs near my workstation. I think you are doing something wrong if both your keys are not readily accessible. By doing this I consider the chance of losing both keys is as close to zero as i can reasonably make it.

Yes, I think I will get some and try again because they are the best solurion, maybe get three!@@Dobbo314

@xileets Doesn't the cookie (stored on the device) count as one of the authenticators? So long as the same device doesn't also have the authenticator app too then any attacker would need two of your devices to breach the website.

How do you figure that passkeys are not 2FA? They satisfy something you have (first factor) and either a biometric (second factor) or a PIN or password (second factor).

@@Dobbo314 Correct, however, in some cases you can disable this requirement. And then there are relevant cookie vulns. There's a relevant CVE... Ill find and post below.

@@MaxPower-11 my first response was overly complicated. Yes, you are correct, if there is a second factor required. But some implementations allow just the use of a security key with nothing else, and that is not satisfactory on it's own, as some keys contain a single factor: something you have.

Depends on the protocol. I haven't hit the limits but here they are from a quick Google search: There are limitations with the YubiKey in terms of supported accounts. It can store up to 25 FIDO2 credentials for password-free logins, two OTP credentials, 32 OATH credentials for one-time passwords (when paired with the Yubico Authenticator), and an unlimited number of U2F credentials.

@@ShannonMorse thank you so much for replying. I ordered my first pair just yesterday! Your video helped.

They hold a maximum of 32 codes

Fantastic, so if I more website with 2FA I would need more keys. This is a bit sad.

@@zhiqiangzhou540they will increase limit for yubikey 6

It can be, yes. I used to keep many of my TOTP keys, recovery keys, and stuff like that in my password manager, but since migrated them to Standard Notes. By separating them, an attacker now has to compromise both my password manager and SN in order to fully compromise my accounts. I hope that's a useful and satisfying answer to your question!

Keys? Wallet? ID? A dinky key fits in my wallet no problem. But also cookies keep your phone logged in. Do you have to use 2FA every time you open an app on your phone? Probably not - if anything biometrics allow you to open your secure apps. You're not using a hardware key every day - you use it for your new devices and anything with public access.

Surely the issue here is to get them to "care" about security. I remember, when she was about 14 (she doesn't remember now she is 25) that my niece came to me asking bout Net Nutrality. She got why Net Neutrality was a good thing -what she didn't grok was why commercialism would want things differently.

Uhhh I'm not sure I understand your question. The app requires you to unlock it via a yubikey. When using the yubikey on its own as MFA on websites, it depends on what protocol the websites is using (FIDO U2F, TOTP, etc etc). Time based codes are never gonna be as secure as FIDO U2F since codes can be stolen.

@@ShannonMorse using the YubiCo app the codes are generated only if the hardware key is brought close. If I don't have the hardware key I can't do anything. Similarly, if I set the hardware key directly on my account, Google for example, as a 2FA system, no one will be able to enter unless they insert it or bring it closer to the device being authenticated. In both scenarios, security is linked to the hardware key. I hope it was clearer. thanks for the previous reply ☺️

The safest password in existence "chicken"

How Shannon is dedicated to ubikey.

Google Authenticator is bad

No, you'd have to re authenticate your yubico on the websites you originally sent up 2fa on. You'll need that QR code again

Doesn’t every authenticator app collect information about its users?

@iSucrose asked a similar question above and I gave what I hope was a good answer to it. At the end of the day, it depends on your risk tolerance and threat model. I know that's a common thing for security people to say, but it really is true. 🙂

It comes down to what you're trying to protect, and from who. I.E, as @ThatNateGuy states, your risk model. TOTP with Bitwarden is very convenient. But some would argue that putting both your passwords and your TOTP's in a single app and single device defeats the purpose of 2FA. If a bad actor can gain access to your Bitwarden account they get both credentials. But even just using a password manager and an authenticator on the same phone increases your risk if someone steals or impounds (think a law enforcement or border control agency) the device. It doesn't have to be an all-or-nothing decision. I use my password manager for TOTP on low- and medium-risk sites, and a separate authenticator for high-risk sites.

@mrkmdz But if you use a Yubikey (or two) to protect your BitWarden vault then doesn't that mitigate the risk? This is what I do. I like the fact that to add my BW vault to a new device requires one of my Yubikeys. And to gain access to BW requires the pass phrase or a biometric scan, so there are always two factors needed.

​@@Dobbo314 In general, yes. You need your BW passphrase + Yubikey to authorize a new device to access your BW vault. Then you need possession and control of your phone + biometric identifier + a memorized secret (either the BW passphrase or PIN) to unlock the phone and open the BW vault. Both of these processes are protected by at least two strong (AAL2) factors.

Yeah these two are just bad

Raivo OTP?

@@MaxMustermann-vy7ur ravio is cool but they did get bought out here recently

But what is up with her hair?!? There is only one tint in it! I'm only posting this because I can remember a post where she bemoans derogatory comments about her tints. What drew me to this channel was her approach to the topics she covers. I like the way she thinks; it aligns mostly with my own; and where we differ makes me reassess my own thinking. I'm not saying that I always agree with her - but her presentations allow me asses my own constructively.

Woohoo!