Debunking 5 MYTHS About Yubikey

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all of these are two-factor authentication Hardware keys but why Shannon why do you have so many 2fa Hardware keys in your studio don't ask I don't know how I ended up with so many but I do I am a big fan of using Hardware keys for two-factor authentication you know the deal these little keys can be used to protect your online accounts from being taken over and that includes all of your favorite sites like Instagram Gmail Twitter Facebook YouTube and a lot more but how does it do this hey s'mores I'm Shannon Morris welcome to Morse code and first we need to get into what is a Hardware Key and what is a yubikey now there are a few different brands in this market that I trust for example I have used the Google Titan which you can see here I have also reviewed the facial or fatian Keys like this one but yubiki has a wonderful variety as you can see so I am going to use the theirs for today's video now I am going to focus on how you can use one of these for individual use not for Enterprise or small business since most of y'all are consumers just like I am whenever you log into a website online you always have to type in your username and your password if you want another layer of protection lots of websites these days allow you to turn on another setting which is called two-factor authentication or sometimes it might be titled multi-factor authentication now this will require you to type in your username and password but also input a special code usually about six digits that only you have access to and that code changes every minute or so now codes are sent to you over text message or maybe email or through an application on your phone and if you do not type in that code fast enough you have to request a new code or wait for the page to refresh now you've probably gotten text mess messages like this from your bank or your credit card accounts online they will send you a text that says don't share this with anyone here is your login code and then it'll be like six digits one two three four five six and it will be something random because these codes are constantly changing and they are random they do add pretty strong security to your accounts but if someone was trying to log into your account and they may have access to your phone number or they could see your text messages over your shoulder or if someone logged into your email account or they stole your phone they could still see those codes when they get sent to you two-factor authentication codes do add an additional layer of security to online accounts but you have to protect those codes because anybody can read them if they see them with their own two eyes so that is why I wanted to do this video today this is why yubie keys and Google's Titan and the fashion keys that's why these exist these protect you from those kind of fishing attacks because there is no code instead of needing to type in a code you put in your username and password like normal and then you plug in one of these little devices into your computer or your smartphone which in the simplest way to describe it means that a thief would literally need this physical key plus your username and password to steal your online accounts now if they guessed your username and password or they stole it from another breach but they don't have this key they still cannot get in because they would still need this key now I know that there are some caveats and without getting deep into the well actuallys yes there are ways for an attacker to get around two-factor authentication but since those issues usually stem from successful phishing attempts we are going to move on so now you know what Hardware keys do I often get questions about Hardware keys that I want to debunk there's a lot of skepticism about how a Hardware Key can protect you and I constantly find myself answering the same kind of questions so I wanted to get into debunking some of these myths today let's start with myth number one you can't use 2fa if a site doesn't accept a hardware token like a yubikey well hopefully you still can they hopefully give you the option to use two-factor authentication codes for authentication and if that's the case just enable that instead I recommend receiving codes through an app on your phone over text messages or email like you can download Google's authenticator you can use Aussie as a third party application that sends codes to your phone even you can use your phone itself to receive two-factor authentication codes for some accounts online for example with one of my Google accounts I have several I have to receive a code that is sent to one of my Android devices in order to log into that specific account I don't have to open up any applications I just get a notification on my phone saying was this you and then I can accept it or deny it now the thing is do not share these codes with anybody keep them secret keep them safe like Gandalf said ubico does offer an app that they made themselves that you can use as well and it's kind of a workaround for these sites that don't usually accept Hardware Keys see instead of accepting a key you would get a code from the ubico app and protect the ubico app with the key when you unlock the app you can see the code now here's how that works first log into the website where you want to set up 2fa go into your settings for security and look for the option to enable 2fa click on that then choose to get code sent to an authenticator app like Google Authenticator or authy PayPal has added the option for a secure security key but let's just say they haven't added that yet for demo purposes on the next screen you will see a QR code now jump over to the yubico authenticator app and plug in your yubikey on the Windows app go up to the sandwich icon and click it and go to authenticator to add an account click the three little dots and choose scan QR code now hopefully it sees the code on your screen but if not you can manually add the account by clicking on the three little dots and choosing add account type a name for the issuer your account name and the security key this security key is a code that is usually written out right underneath the QR code which you can just copy and paste into the ubico authenticator app under that you can require a touch on the key to unlock the codes which I enabled then click add account the account is now registered on that key and in order to unlock the six digit code I have to touch the actual key from there I can copy and paste the code into the PayPal page to enable two-factor authentication now anytime I log in that code will be required in order to access my PayPal account the code changes every minute or so and I can always update or remove the key from my PayPal account if needed so with the ubico app you can actually use your UB key like this one for example to protect the codes that are sent to your UB key the codes themselves actually get stored on the key and the app just lets you read them because well this device obviously does not have a screen on it so how else would you read those codes you read the code you type it into the website when it asks you to or you can copy and paste it as well and then you log in the only way you can access those codes though is if you have this specific key since those codes are actually on this key myth number two you have to carry a hardware key with you everywhere 24 7. no actually you don't now once you log into your devices like for example I have a Chromebook over here those devices are going to remember you as long as you allow them to so you don't have to use this to log in every single time if you get a new phone then yes you would need to pull out your UB key and log into your new accounts on your new device so that that device is registered with your online accounts every few months or so you may have to reauthorize your UB key as a trusted device on your phone or your laptop currently I have mine set to about 30 days for all of my accounts and all of my logins to basically forget my login but otherwise no you don't need to use it every single time now for myth number three you need a different key for each and every account you have online that is going to get so expensive so fast no again you do not you just need to buy one although I recommend buying and setting up a backup key just in case you lose your main UB key UB keys do have limits but those limits are relatively High depending on the type of two-factor authentication that the websites accept now not necessarily a myth but one of the questions that I often get is can you set up more than one of these Hardware tokens per account and yes you absolutely can on most websites that do accept Hardware keys they will allow you to set up more than just one main Hardware Key either they will give you the option to set up a main Hardware Key and use codes as a backup or they will let you use two Hardware keys on that same account so that way you can set up a second one as a backup so what I do is set up my main one and then I go back through the same exact process to set up a backup one then I store the backup key in a secret place that's safe and very secure in the event that anything happens to my main one myth number four is if you lose your key you are totally screwed if it stops working you are totally screwed and no not necessarily again a lot of online accounts allow you to set up a backup system for logging in so if you don't want to set up a backup system online accounts often should give you a few special codes that you can copy and store away in case you lose your key and you will see those show up while you're setting up your two-factor authentication key those codes are one-time use codes though so if you are setting up two-factor authentication on your online account and the website suddenly shows you a list of like 10 different backup codes and says these are your backup codes they are important store them somewhere safe do what it says don't skip that screen print them out copy them over to a password manager make sure your password manager is secure write them down whatever I don't care how you do it just make sure you keep those codes stored safely somewhere in case you lose is your Hardware Key and myth number five this will not work on my accounts well I'll say this one is a little bit tricky because there are a bunch of different protocols that websites use with two-factor authentication and there are plenty of websites especially Banks I don't know why but they still just do not accept two-factor authentication Hardware keys they always just send you text messages which is ridiculous given that that is the least secure option for 2fa but when you go into your settings for your different accounts the website will usually tell you which protocols it uses in case you are interested and practically all the popular ones do work with products like the Google Titan or the UV Keys now luckily ubico even has this really handy list on their website that you can check before you decide to buy one just to make extra sure that they work with the websites that you visit most often now do you have to use a hardware key for every single one of your websites online no not not necessarily but I do use one for all of my most frequently used and most important websites so that would be for me since I'm a content creator social media my banking applications if they do accept Hardware tokens which a lot again do not credit cards same thing there and of course email that's a really important one too now this is why I recommend hardware and physical keys so much because someone trying to break into your account could not do it remotely from far away they would legit need to know your username and password which they totally could get from online leaks that's entirely possible but would also need to steal this key from you and if that happened you could always revoke the stolen Keys access to block any attempts and you could just buy a new one or you could use that backup key which you hopefully purchased in the meantime revoking a key is as easy as hitting up the website on a computer or a phone that that you are already logged into going into your settings finding security and two-factor authentication settings and either deleting revoking or removing the stolen or lost key and once you do that you can change your 2fa options or switch to a new key entirely and of course if somebody is trying to steal your account online change your password as well just to be on the safe side I also find that using a hardware key is a lot faster than waiting for a text message an email or checking an app for a code you don't have to type anything you don't have to remember a code you don't have to copy and paste anything you just tap or you plug in and you go with any of the code options you have to unlock your phone and wait for the 2fa code to pop up or you have to open an app and you have to find the matching account with a hardware token you tap it or you stick it in your machine that's just less steps involved so it's going to make it a faster to process as long as you have that key on you and it's not like way in another room somewhere which is also a possibility I know that there's a lot of hesitation around Hardware keys because they seem convoluted or like too much effort this is not a sponsored video for any of these companies this is just something that I constantly try to preach to people to upgrade to and I can't tell you how many times I've gotten DMS from people on Instagram or Facebook or Twitter saying like hey my account got hacked I don't know what to do and once it's hacked I can't really help you because I don't work for those social media companies but I can help you secure your accounts before it happens and this is one of the best ways to do that the biggest effort you will make is just setting them up and then after that it's smooth sailing and you are more protected you no longer are the low hanging fruit for an attacker and that's really what it's all about now I'm curious what other myths you might have seen about Hardware Keys used for two-factor authentication I I do have a direct link down below it's an affiliate link just to purchase one of these and that does help support the channel but it costs no extra to you if you were gonna buy one anyway but otherwise just consider it like save this video go back to it whenever you're thinking about getting one I have many of these that I have bought over the years obviously I love them I have upgraded from one to another over time and I find that these are more convenient than 2fa codes tell me about your experiences with Hardware Keys down below I'll do some more videos about them in the near future so subscribe and look for those soon bye y'all

Info

Channel: Shannon Morse

Views: 188,777

Rating: undefined out of 5

Keywords: two factor authentication, yubikey 5 nfc, yubikey review, yubikey 5, yubikey 5ci, yubico security key, yubikey 2fa, yubikey setup, yubico, yubico authenticator, 2fa, security key, yubikey security key, yubikey authenticator, security keys, yubikey iphone, two-factor authentication, cyber security, online security, 2 factor authentication, 2fa key, fido u2f, yubikey 5c nfc, yubikey 5 nfc iphone, yubikey 5c, yubikey bio setup, yubikey nfc, how to use yubikey

Id: vjTA6DeD9y8

Channel Id: undefined

Length: 15min 35sec (935 seconds)

Published: Wed Sep 28 2022