- [Orman] This is the Yubikey Five and the makers of this
little device say it can help to protect you and
drastically reduce the chances that the bad guys will
get into your stuff. In fact, when used with an application called a password manager, it says it can reduce the number of
passwords you need to remember and in some cases, eliminate the need for password altogether. Can it really do all that? Let's find out. (air whooshing) Hi, I'm Orman Beckles
a.k.a The Hi Tech Nomad and in this video, we're going to look at the brand new Yubikey Five, and I'll show you how to use
it and a password manager as a foundation for a simple to use but highly effective way to
keep hackers out of your stuff. Now I looked at all of the videos that are up on YouTube
regarding the Yubikey. Some of them are as
short as 13 seconds long. That's not enough time to
show you how to use it. On the other hand, the time it takes to show you is probably about an hour and quite frankly, most
of you will not sit still for an hour video. So I'm going to have to
break this into parts. This is part one and I will
publish the other parts as quickly as possible. To show me that this is
the kind of information that you want, please hit the like button, please hit the subscribe button, and please leave comments below. Letting me know that
this is the type of video that you wanna see regarding
complicated subjects like this. Yubikey has been around since 2007. However, you may have
only heard about them because recently, Google
published an article saying how they distributed the
keys to its 85,000 employees and made it mandatory that they use them, and since then, it has reported zero successful hacking attempts. So Google is actually so impressed that they now make their own
security key called Titan, but in my opinion,
Yubico is still the best. Now you should have two keys because once we start
locking things down, much like your house or car keys,
if we lose the keys, we're gonna lock ourselves out. Now I don't want that to frighten you unless of course you're
a person that loses all of your car keys on a regular basis. In which case, I would suggest
that you get three keys and put one in a safe
or give it to a friend that's less accident prone. This key chain one which
also has NFC is the one that we're gonna carry with
us and use with our phone and use when we're out and about. These nano versions
are small and are meant to be left in the computer
for extended periods of time. As you can see, they
have very low profiles and won't get in the way. So we're gonna start
simple and work our way up. So let's go ahead and
log in to a Gmail account that I've set up just for this example. So here we are, it is Yubikey video. So I'm gonna go ahead and click on that and then we're gonna put in the password which in this case is password, and I'm telling you
that because we're going to show that even if people know what the password is,
we're still gonna be able to keep them from getting our stuff. So you can see the password is password. P-A, dollar sign, dollar
sign, we're trying to be tricky here, W-O-R-D. So if we did nothing else
and we wrote this down on a piece of paper next to our computer and somebody got that, they could go home and they could log in, all right? So we're gonna go into our Google account and we're gonna go into sign in to Google, and what a lot of places try to get you to use is something called
two-step authentication or multi-step authentication. Basically, they're gonna
ask you to do two things when you log in. Now the problem is is
that you don't even want to do one thing to log in, but it's safer if you, you know, we're
trying out, it would be nice if we didn't have to put
locks on the door but we do. So it's better. The more locks we have, the better, but we wanna make it nice and easy. So of course they talk here about turning on your
two-step authentication and all of the good stuff
that comes with doing that. So we'll go ahead and go to the next one. We've now turned on
two-step authentication. We have to log in again. So we'll log in again. P-A, dollar sign, dollar sign, W-O-R-D and let's go ahead and click next. Now it says "Should we set up your phone "for your two-step authentication?" Let's go ahead and set that up. Now you're gonna have to do this to turn on two-step authentication but this is not a good idea, and while you might think
"Hey, that's pretty cool. "It will send a text message to me. "I have my phone. "I'm fairly secure. "Everything's fine and dandy." That's not really the case. This is better than nothing. This is better than having
just the bad password. All right, so I got my code
as you can see down here in the bottom of my screen. Now you might be wondering
how I got this code. That was sent to my phone on the screen. That's covered in
another video called Join which is nice, little
software that you can use so that you can see your text messages on your computer screen. So check that out if you're
interested in seeing that. But the important part here is this. We've now turned on
two-step authentication. Now that we've turned on
two-step verifications, we have a bunch of different choices. The first choice we're gonna
look at is backup codes. These are 10 single use
codes that will allow you to get into your account
should anything else happen. So for example, if you lose your phone or we lose our security key. I strongly suggest that you
make use of this feature. To use it, you're gonna
click on show codes. It will show you these codes and then you can go ahead and
download them or print them, and obviously, you don't
wanna download, print them and leave them on your desk. You literally wanna put these like in a safe somewhere knowing
that you can still get in with one of these codes
should there be a problem. Now for those of you who
are hurrying to scurry down to look at my codes now,
you can change new codes by doing this. Once you do that, the
codes that were previously on the screen will not
work for this account. So obviously when I'm
through with this video, I'll hit it again and again and again. So that's the first thing
we wanna take a look at. The next one we're gonna take a look at is using the Google
prompt which is sort of nice and that's specific to Google
and what that will do is when you try to log in, it will use one of the Google apps on your
phone that you're already using to say is it okay if you can get in, and that's fairly decent
that will allow you to get in and that is fairly secure. The next one is Google authenticator and this is not too bad either. This generates what we
call a one-time password or a timed one-time password,
and what happens is is it will show a series using six numbers that change every 30 seconds and those are very very difficult if not impossible to replicate. So again, using Google
authenticator is fairly decent. Now the problem with that,
in most cases, is people do not want to pick up their
phone, look up the six numbers and then put the six numbers in or perhaps they don't have their phone. So that brings us to the last one and the last one is the one
that we wanna talk about. This is using a security key. So how do we add a Yubikey to our account? Well that's actually fairly easy. All we do is add security key. It will show us the key. It says put it in. It says okay. If you've got it in now, it's
gonna glow green for a second. I touch it and that's it. It says it's about to
our security in a sense. What key is it? This one happens to be
the USB-C key that I have. We're okay if we lose them because we still have our backup codes but for the sake of this discussion, I will add a second key. So I have the other key
from around my neck. I've now added my second
key and this is the key that I actually wear around
my neck with my dog tags. So I now have two keys
and I may even add a third or fourth key. Add my wife's key and then
I also have a master key that I keep down in the safe. The problem here is this phone number. We already said that
this is the weak link. So I'm gonna actually go in
and click on remove phone. I do not want them to be
able to send a text message. And there you go. Bob's your uncle. We have an account that
is pretty well-protected. The only way you're gonna
get in is to have my password and either one of these two keys. If you do not have either
one of these two keys or this backup code that I'm gonna keep in the safe, you are not
getting into this account. So using this method, we have
a very very secure account. So much so that I'm not
changing my password. Please feel free to try and
go and get into this account. Again, the email address
is shown on the screen. Go ahead, have at it. You're not gonna get in. Now unfortunately, not every
site is currently making use of these security keys,
but a lot of them are. For example, let me go
ahead and log into Facebook. As you can see, you cannot
log into my Facebook account unless you have one of these keys. So for example on Twitter,
it's asking me again to log in with my security key. Now unfortunately, not all the
websites currently make use of these security keys, and
until they do, we're gonna have to find another way of making sure that we have a different
password for each website without having to keep all of
those passwords in our heads. Luckily, we have LastPass. LastPass is a password manager. It's gonna allow us to
create complicated passwords and have them associated to
the websites that we use. Now you won't have to type
in this password that often but it does suggest that you make this an extremely strong password. As I said before, it's
best to use a phrase. Something that you can put in that's easy for you to remember but
it's very very long. In my case, I'll say "In olden
days a glimpse of stocking." And those are the first words of the Cole Porter song Anything Goes. Again, this is just the demo. I'm trying to show you that
by using a phrase, we can have a very long, complex password. And here we are at the LastPass dashboard. Now luckily for us,
LastPass works with Yubikey. So the first thing we're
gonna do is we're going to tighten our security by
locking down our LastPass account with our Yubikey, and we do that by going to account settings, clicking on multi-factor authentication options, and as you can see, we can
use the Google authenticator and a couple of other different ones but the one that we
wanna do is the Yubico. Yubico Yubikey. So we're gonna go ahead
and click on enable to which it's now asking
us for our two keys. So we're gonna, at least two keys. As you can see, you can
have up to five keys. Because again, this is a family account so more than one family
member might be using it. We're gonna go ahead and, so let's go ahead and log back in. I'll put in our password. In olden days a glimpse of stocking. We can't get in. I don't mind if you have this password because you ain't getting
in unless you have one of my security keys and in
this case, we only have one that I should at least register to. Now we have a secure LastPass. We now have a secure password manager. Now let's see how we use
LastPass with other websites. All right, so the next part
of this is that we need to load the LastPass extension. So we're gonna go in and we're
gonna say LastPass extension. As you can see, it's a
free extension available in the Google Chrome Playstore. All we do is click on that and
then click on add to Chrome. It says "Can I add the extension?" We say yes. And we'll end up with a
little icon here on the end that says LastPass. Here we're gonna go ahead and
put in our account information and as you can see, I can't
even install this extension without my security key. So I'll go ahead and
activate my security key. And we're all set. Now let's go and sign up for a service and see how we're going to use LastPass. So now let's go ahead and
see how we use LastPass. There's something very curious
here that I wanna point out to you and it speaks to security and how your information is
constantly being scanned reviews and in some cases, used against you. So I've come to the
Yahoo site and I've come to use this as an example to
show you how to use LastPass, and we're gonna click on that in a minute, but I want you to notice
what's happening here. The two ads that I'm getting sent, the one up there a minute ago was for Yubikey and the one over here is for LastPass. So that means they've been monitoring what words we're using
and where we're going and then they're feeding
us ads based upon that. Now in this case, these are two ads that don't make any difference because we already have LastPass and we're talking about the Yubikey, but I want you to see just
how your data is constantly under attack and that's why
we have to take these steps. So we're gonna go ahead
and click on sign in and we're gonna go to
sign up to which it asks what is our first name, our
last name, our password, a phone number, a date
of birth and gender. Now what I want you to see here is that under password, we now have
next to it a little icon and this is being generated by LastPass, and what we do is we click on that and it's going to show us
this LastPass generator. This is gonna help us generate
really strong passwords specific for each site,
and we have a bunch of different options. At the very least, we can
change the number of characters. I used to try to go for the maximum amount of characters just because I don't have to remember it anyways
and it looks kind of cool. So we're gonna say 20 characters. I can actually come down here to options and I can do things like make
sure it adds in dollar signs or things of that nature. Now this is good because
some websites will require that you do use a special character and some websites will
say you can't use it if it's a special character. They also have this little pronounceable which I don't know if you
can call that pronounceable but apparently it says that that word is a pronounceable word. We're just gonna go
back to all characters. I usually just, for the heck
of it, click on copy password. That will put it into the buffer. Into the copy-paste and
then I can just say paste. Now I've gone through all of those steps and again, I had to put in a phone number. Wasn't really happy with that because again, this just,
it helps to link things. So if they steal all the
information from here and all the information from
there, they now have some way of correlating the two accounts. You'll also see again now
that we have an advertisement for LastPass down here in the corner. So we're logged in. Now how does LastPass help
us to log in the next time? To do that, let's go ahead and log out. Let's go ahead and log back in. As you can see, it's prompting
me to enter my information and normally, I would type it in, but now, since we're using
LastPass, we have this little box off to the side. This little box off to
the side is important because it's telling us that LastPass recognizes this website and has at least one
log in for this website. If I click on that box, it
will show me the log-ins that are available. Now you may have websites
with multiple log-ins. For example, maybe you and your partner have a Yahoo account. In my case, we only have
one so I'm gonna go down and I'm going to click on it. It's now entered my username. I'm gonna go ahead and click next. It's now asking me for my password. Don't worry, I don't have to type in that long 20 character password. All I have to do is come over to LastPass and again, select the correct entry. I then click sign in and Bob's
your uncle, we are logged in. So I'm going to stop here for part one. I'm already editing part two
and it will be put up shortly. Please hit the like button,
please hit the subscribe button so that I know that you
guys like videos like this that are in detail. We're breaking a lot of, from what I saw, you guys
really like these kinds of videos, so just let me know. Put a message in the comment. Tell me it was too long. Tell me it was too short. Okay, give me some direction. This is how we learn. We're gonna be working together. So until the next time, this is The Hi Tech Nomad, signing out. (upbeat music)