How Does a Hardware Security Key Like YubiKey Work?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Does a hardware security key like a YubiKey work? Hi, everyone. Leo Notenboom here for Askleo.com. I've been answering questions for a really long time, and I've been publishing newsletters for a long time as well. Visit Askleo.com/Newsletter to sign up for Confident Computing, my weekly emailed newsletter where I answer questions like this and talk about a bunch of related tech topics. There are a number of ways to, what I'll say, do two factor authentication when you set that up on an account. The most common ones that you're probably familiar with are things like having an alternate email address. When you sign in and if a second factor is required because you've not signed in on that machine before, the service will send you an email message to whatever the address is associated with your account, either with a link or with the code you type in, and your ability to access that email proves that you have the second factor, in other words, that other email account. Another common approach are SMS text messages where in that same scenario, they will text you a code to the phone number that's on file. Again, your ability to provide that code proves you are in possession of the phone or at least the number associated with that phone and therefore should be allowed into your account. Another form of two factor authentication is the Google Authenticator program where you have an application on your phone that has been associated with your account. When you are asked to provide your second factor proof, you enter a code from that application on your phone and it proves you're in possession of your second factor, the phone running the Google Authenticator application or a compatible equivalent. Another approach that is actually somewhat more secure in some ways is called the Ubikey. Now I'm using YubiKey, it's a brand name, as an example. I believe there are other versions of this as well, but the bottom line is it's a physical key. Here you can see one. It is literally a USB device that you would plug into a USB port on your PC. When you set up two factor authentication with a USB UbiKey, you will be asked at that time to insert it, probably press the little button on it or something equivalent, and that will then associate this physical device, this specific Ubkey with your account. Then later, when it comes time to sign in on a machine, perhaps on a machine on which you've not signed in before, you'll be asked to insert that YubiKey and press the little button that confirms to the service you're signing in on that you are in fact in possession of your second factor, in this case, a very physical second factor, your Ubikey. So how does it work? Well, it's interesting. When Ubiko has a page that describes the process, and we'll make sure to link to that in the notes for this video, but the interesting thing is, Ubikeys and devices like them, they act like virtual keyboards. There really is no special magical two factor API. It's just that when the Ubikey is inserted, it acts like a keyboard. It types in some characters and in some cases it'll do it automatically. In some cases you have to press the button. But the bottom line is that when the dialog comes up asking you to insert your USB YubiKey, it's waiting for keys at the keyboard. What those look like? Well, nothing you and I would ever understand. Here's an example. If I press the key on my YubiKey, it just types these characters. And in fact, when I created the companion article for this video, in order to get this string of characters to show you as an example, all I did was insert my YubiKey and in my editor, positioned my cursor where I wanted the string to go and pushed the button. And this is what resulted. Now, if I push it again, I get a different set of strings. It's interesting in that there is a complicated relationship between the serial number, a use count, a time stamp, and a secret that is encoded on the key that basically, once it's been associated with your account, is unique to your device and is something that when your device enters that code, proves that it could only have come from that specific UBIC key. It's actually pretty fascinating. It's another case of really intelligent and magical encryption use. Now, how is it more secure? Unlike other forms of two factor authentication, a UBIC key is a physical device. I mean, here there's a Yuba key. This is what's required for me to authenticate with the accounts I have it associated with. You must literally present that device in order to authenticate. What that means is that unlike some of the other forms of two factor authentication, it can't be duplicated, it can't be spoofed, it can't be intercepted. You must have the key. What that means, it's almost immune to things like phishing attacks or other kinds of two factor compromise that we occasionally hear about. With that greater security comes greater risk almost. That is, of course, what happens if you lose your second factor. What happens if I literally lose this key that's required to provide two factor authentication for my account? I'm not screwed. When you set up two factor authentication, any two factor authentication, systems are set up to give you some information that you would use in the event that you lose that second factor. As one example, and this is honestly the example that I recommend you use because it is the most common one. When you set up a two factor authentication, you are often also offered the opportunity to create and save recovery codes. These recovery codes in this case can each be used exactly once in place of the two factor authentication code. So if I don't have my UB key, if I've lost it, if it's damaged since it is a physical device, then instead, when I go to log in on a new device that would require two factor authentication, I would either enter one of these codes or I would say, I don't have my UB key, let's use an alternate mechanism, and the interface may then ask you for a recovery code. Once you're successfully back in, then the thing to do, of course, would be to either turn off two factor authentication temporarily or associate another two factor authentication device in place of the Yuba key that's been lost. It's basically as long as you've set things up properly to begin with, losing your second factor really only is a bit of an inconvenience because you'll then be required to do something else to again prove that you are in fact the rightful account holder. One of the things that I have heard people do, and I actually do recommend this as well, is that some services will allow you to set up more than one two factor authentication device. You can, for example, set up one YubiKey and then another YubiKey. You could have two Ubikeys that would both act as a second factor for your account. You would keep one with you on your key ring and you would take the other one and save it in a secure location in case the first ever gets lost. That way you're protected and you haven't used any of these potentially somewhat minorly less secure two factor approaches. Now, the other approach, of course, is you can often set up multiple different styles of two factor authentication with your account. For example, on some of my accounts, yes, I have Yuba key because I wanted to see how it worked, but I also have Google Authenticator turned on. I also have alternate email addresses turned on. I also have mobile phone numbers associated with the account. And any of those could be used for two factor authentication. Now, it does sound like that dramatically reduces the security of two factor authentication. It does not. First, any two factor authentication is better than no two factor authentication. You want to make sure you've got two factor in place. However, the incremental risk, the incremental additional risk of having multiple different forms of two factor authentication is actually very small. Small enough that for the average consumer, it's really nothing you need to worry about. You're probably more at risk of losing your second factor than you are of having an additional two factor second factor compromised in some way. I strongly suggest that yes, go ahead, set up multiple forms of two factor authentication, be it multiple Ubikeys or a Ubikey and another Google authenticator or an alternate email address or whatever, so that you're covered for exactly this scenario. Now, there is one scenario where honestly only the Ubikey is the right solution and only having a second U back key is the right solution. And that is where your account is so incredibly sensitive that you really don't want to take on even the smallest amount of additional risk. U backkeys are absolutely more secure than the other forms of two factor authentication, and that's a case where they might be the only thing that's appropriate for your account. But for most of us, that's simply not the case. Hope that helps explain a little bit about what Yuba Key is all about, what hardware two factor authentication devices are all about. For updates, for comments, for links related to this topic and more, visit Askleo.com/158246. I'm Leo Notenboom and this is Askleo.com. Thanks for watching.
Info
Channel: Ask Leo!
Views: 32,276
Rating: undefined out of 5
Keywords: Hardware Security Key, askleo, ask leo, hardware security key for two-factor authentication, best hardware security key
Id: tbsNMtSHfwM
Channel Id: undefined
Length: 11min 16sec (676 seconds)
Published: Thu Jul 13 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.