Does a hardware security
key like a YubiKey work? Hi, everyone.
Leo Notenboom here for Askleo.com.
I've been answering questions for a really long time, and I've been publishing
newsletters for a long time as well. Visit Askleo.com/Newsletter to sign up for Confident Computing,
my weekly emailed newsletter where I answer questions like this and talk
about a bunch of related tech topics. There are a number of ways to,
what I'll say, do two factor authentication
when you set that up on an account. The most common ones that you're probably familiar with are things like
having an alternate email address. When you sign in and if a second factor is required because you've not signed
in on that machine before, the service will send you an email message
to whatever the address is associated with your account,
either with a link or with the code you type in, and your ability to access
that email proves that you have the second factor, in other words,
that other email account. Another common approach are SMS text
messages where in that same scenario, they will text you a code
to the phone number that's on file. Again, your ability to provide that code proves you are in possession of the phone
or at least the number associated with that phone and therefore should
be allowed into your account. Another form of two factor authentication
is the Google Authenticator program where you have an application on your phone that
has been associated with your account. When you are asked to provide your second factor proof,
you enter a code from that application on your phone and it proves you're
in possession of your second factor, the phone running the Google Authenticator
application or a compatible equivalent. Another approach that is actually somewhat more secure in some ways
is called the Ubikey. Now I'm using YubiKey,
it's a brand name, as an example. I believe there are other versions of this as well, but the bottom line
is it's a physical key. Here you can see one. It is literally a USB device that you
would plug into a USB port on your PC. When you set up two factor authentication with a USB UbiKey,
you will be asked at that time to insert it,
probably press the little button on it or something equivalent,
and that will then associate this physical device, this specific Ubkey
with your account. Then later, when it comes time to sign
in on a machine, perhaps on a machine on which you've not
signed in before, you'll be asked to insert that YubiKey
and press the little button that confirms to the service you're signing in on
that you are in fact in possession of your second factor, in this case, a very
physical second factor, your Ubikey. So how does it work? Well, it's interesting. When Ubiko has a page that describes
the process, and we'll make sure to link to that in the notes for this video,
but the interesting thing is, Ubikeys and devices like them,
they act like virtual keyboards. There really is no special
magical two factor API. It's just that when the Ubikey is
inserted, it acts like a keyboard. It types in some characters and in some
cases it'll do it automatically. In some cases you have
to press the button. But the bottom line is that
when the dialog comes up asking you to insert your USB YubiKey,
it's waiting for keys at the keyboard. What those look like? Well, nothing you and I
would ever understand. Here's an example. If I press the key on my YubiKey,
it just types these characters. And in fact, when I created the companion
article for this video, in order to get this string of characters
to show you as an example, all I did was insert my YubiKey
and in my editor, positioned my cursor where I wanted
the string to go and pushed the button. And this is what resulted. Now, if I push it again,
I get a different set of strings. It's interesting in that there is a complicated relationship between
the serial number, a use count, a time stamp,
and a secret that is encoded on the key that basically, once it's been associated
with your account, is unique to your device and is something
that when your device enters that code, proves that it could only have
come from that specific UBIC key. It's actually pretty fascinating. It's another case of really intelligent
and magical encryption use. Now, how is it more secure? Unlike other forms of two factor authentication, a UBIC
key is a physical device. I mean, here there's a Yuba key. This is what's required for me to authenticate with the accounts
I have it associated with. You must literally present
that device in order to authenticate. What that means is that unlike some of the other forms of two factor
authentication, it can't be duplicated, it can't be spoofed,
it can't be intercepted. You must have the key. What that means, it's almost immune to
things like phishing attacks or other kinds of two factor compromise
that we occasionally hear about. With that greater security
comes greater risk almost. That is, of course, what happens
if you lose your second factor. What happens if I literally lose this key that's required to provide two factor
authentication for my account? I'm not screwed. When you set up two factor authentication, any two factor authentication,
systems are set up to give you some information that you would use in the
event that you lose that second factor. As one example,
and this is honestly the example that I recommend you use because
it is the most common one. When you set up a two factor
authentication, you are often also offered the opportunity to create
and save recovery codes. These recovery codes in this case can each be used exactly once in place of
the two factor authentication code. So if I don't have my UB key, if I've lost it, if it's damaged since it
is a physical device, then instead, when I go to log in on a new
device that would require two factor authentication, I would either enter one
of these codes or I would say, I don't have my UB key,
let's use an alternate mechanism, and the interface may then
ask you for a recovery code. Once you're successfully back in,
then the thing to do, of course, would be to either turn off two factor
authentication temporarily or associate another two factor authentication device
in place of the Yuba key that's been lost. It's basically as long as you've set things up properly to begin with,
losing your second factor really only is a bit of an inconvenience
because you'll then be required to do something else to again prove that you
are in fact the rightful account holder. One of the things that I have
heard people do, and I actually do recommend this as well,
is that some services will allow you to set up more than one two
factor authentication device. You can, for example, set up one
YubiKey and then another YubiKey. You could have two Ubikeys that would both
act as a second factor for your account. You would keep one with you on your key
ring and you would take the other one and save it in a secure location
in case the first ever gets lost. That way you're protected
and you haven't used any of these potentially somewhat minorly less
secure two factor approaches. Now, the other approach, of course,
is you can often set up multiple different styles of two factor
authentication with your account. For example, on some of my accounts, yes,
I have Yuba key because I wanted to see how it worked, but I also have
Google Authenticator turned on. I also have alternate
email addresses turned on. I also have mobile phone numbers
associated with the account. And any of those could be used
for two factor authentication. Now,
it does sound like that dramatically reduces the security of two
factor authentication. It does not. First, any two factor authentication is
better than no two factor authentication. You want to make sure you've
got two factor in place. However, the incremental risk, the incremental additional risk
of having multiple different forms of two factor authentication
is actually very small. Small enough that for the average consumer, it's really nothing
you need to worry about. You're probably more at risk of losing
your second factor than you are of having an additional two factor second
factor compromised in some way. I strongly suggest that yes,
go ahead, set up multiple forms of two factor authentication,
be it multiple Ubikeys or a Ubikey and another Google authenticator or
an alternate email address or whatever, so that you're covered
for exactly this scenario. Now, there is one scenario where honestly
only the Ubikey is the right solution and only having a second U back
key is the right solution. And that is where your account is so
incredibly sensitive that you really don't want to take on even
the smallest amount of additional risk. U backkeys are absolutely more secure than the other forms of two factor
authentication, and that's a case where they might be the only thing that's
appropriate for your account. But for most of us,
that's simply not the case. Hope that helps explain a little bit about
what Yuba Key is all about, what hardware two factor
authentication devices are all about. For updates, for comments, for links related to this
topic and more, visit Askleo.com/158246. I'm Leo Notenboom and this is
Askleo.com. Thanks for watching.