How Security Keys work (2FA explained!)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

we all need to protect our online accounts better for most people a weak password is all that's standing between our Digital Life and a hacker and if that password has ever cracked or leaked we're in big trouble this is why a second layer of protection on our accounts is essential it's referred to as many things two-factor authentications two-step authentication multi-factor authentication they're trying to communicate the same thing Derek Hansen is the VP of standards and alliances at ubico and he explained to me that there are many single-factor ways to authenticate an account you can enter a password enter a code that's sent to you via SMS email or an app provide Biometrics use a digital key that only you have access to when you start talking about multi-factor authentication it basically is saying that any one of those factors used just by itself isn't actually secure but if you use multiple tools layered on top of each other if one of them ever gets compromised your account is still secure multi-factor Authentication and kind of takes away the weaknesses that each of those things have by combining their strengths we've done videos comparing different kinds of 2fa before but now we wanted to do an entire video just focused on security keys because they're one of the best ways to protect your accounts they're also incredibly convenient using a hardware key is a lot faster than waiting for a text message an email or checking an app for a code you just tap or you plug in and you go the trouble is that for a beginner security keys can seem a little intimidating I'm looking for a security Keys sure thing you want ubico thetas Titan Kensington I'm unsure which protocols do you want supported u2f 502 web auth and PIV pgp SSH oh dear and which connector usb-a USBC NFC Bluetooth lightning and which model we have the ubk5 series fips bio HSN plain old security key stop using security keys for 2fa is actually super easy despite how it may seem in this video we're going to demystify them and show you how to get started it if you want the best chance of fighting off phishing attacks you will need one of these protecting your accounts we'll give a quick recap of why security Keys have better security than other 2fa options what all the technical jargon means and dive into which key is right for you if you're just here for that feel free to skip ahead one note there are many different companies that offer security keys and do similar things in this video we're going to focus on the products from a company called ubico this isn't a sponsored video we actually don't do show sponsors ubico is just a well-known brand with a good reputation a great place to start if you're getting your feet wet in the world of security Keys we'll dive into other brands in future videos so let's begin with a quick recap of why other 2fa options are less secure first SMS 2fa SMS is inherently insecure text messages aren't encrypted and can be intercepted and Sim swap attacks are unnervingly common that's why an attacker convinces a mobile phone carrier to switch your number to a new SIM card that they control similarly email to fa can be insecure if you haven't taken precautions to protect your email account authenticator apps are one of the better options out there they're also referred to as totp apps or time-based one-time passwords and they usually generate a code that expires after a certain amount of time one of the weaknesses that exists in all one-time password Solutions is that it's based on a secret a secret is a long string of digits that's used to generate each one-time code your app takes that secret combines it with the current time and transforms it via a complicated hashing function into a new code that the app spits out every 30 seconds or so you store a copy of this secret on your device but also there is the copy of that secret on the server side so the server is able to validate did you type in the right thing based upon the secret that I have both the website and your device use the same secret to compute this code and then compare values and if they match the the website says that you have permission to access the account that's called symmetrical because both parties have the exact same secret information this is a weakness because if the website also has a copy of the secret you're relying on them to store it securely ultimately if you can get to that secret you can impersonate the person that's supposed to have that secret that is the risk of these systems luckily most of the time websites Implement very strict security measures for their copy of the secret they've protected those secrets with everything they possibly can because those are the keys to the kingdom authenticator apps are considered pretty robust for this reason but there is still a risk that someone could theoretically steal the secret from the company if the system is not properly designed that scenario absolutely could occur but the bigger risk actually comes from phishing attempts you have to send that private code across the internet in order for the website to check it and that could be intercepted via a man in the middle attack you can give away that secret and you can unintentionally authenticate and attacker to your account I just need to be in between you and the service that you're trying to get to trick you to click on the link that you're not supposed to and the next thing you know you've given me your credentials it's just the weakness of the system design itself so a better design is one where there's no [ __ ] Secret at all where you don't have to send a sensitive code across the internet and that's where security Keys come in they're so good at neutralizing phishing attacks but when Google mandated that their employees all use security Keys successful phishing attacks against them ceased completely so what is a physical security key and what makes them so secure it's basically a little device that looks just like a USB stick or dongle and once you add one of these as 2fa on your account not only will you have to type your password in going forward you'll also have to have one of these devices in your possession in order to access your account here are five reasons they're super secure first no shared Secrets it's not based on symmetric Secrets it's based on public key cryptography which is a really complex topic way too complex for us to really dive into the weeds with in this video but basically the way public photography work I have it public key pair so for example if you set up security key to fa on a site like Twitter your ubikey will create a private key you never reveal that private key to anyone not even Twitter it remains isolated on your physical security key inaccessible to your mobile device or computer or even malware running on the machine your UB key will then send Twitter the public key associated with it the server is able to validate anything that you sign with your private key so that they know that you possess that private key and only you possess that prepared key the fact that you don't need to send a sensitive code or secret across the internet is one reason why public key cryptography is more secure than shared Secrets next security Keys usually use something called a challenge response authentication flow this is to prevent phishing which is where a scammer tries to lure you into giving up your credentials to a fake website again a complicated topic but here's a simple breakdown something called a challenge is delivered to your key which could be something like the current time this is then signed by the key and then passed back to the server anybody that's in line can't actually tamper with that challenge because the server knows hey I sent you my current time so if you tamper with it the server will reject it this way the challenge response authentication can't be stored by a hacker to be replayed at a future date third security Keys also help prevent phishing by only allowing authentication on the exact domain the key was registered so if you're tricked into going to a fake website the security key won't authenticate unlike with trtp codes for example where you might accidentally give the code to a fake website which they then use to log into your account fourth security Keys usually have signature counters each time you authenticate on that specific key the counter goes up by one so if you sign in and the counter is five and the next time encounter is six well the the third time you come back the camera is now three we've got to be concerned about what's going on there it offers one more check for the line party to use to see if something had somehow tampered with the security of the actual yubiki itself we are not aware of any known attacks that make these authentication events visible fifth security Keys require use of presence to authenticate user presence is quite simply are you there is a living breathing human associated with this key the reason that's important is if you end up with malware on your device you need to make sure that that malware isn't able to sign in on your behalf requiring a user to reach up and touch their Yuba key your malware has yet to figure out how to grow arms yeah I'm worried that is the reality so how does using one of these Keys work in practice it's super simple in your privacy settings you'll add a 2fa method and if they support security Keys you'll opt to add a new key once that key is registered each time you go to log into that account in the future you'll type in your username and password plug in your security key and when it asks you to authenticate on the key just Reach Out And Touch it that's it now someone can't just hack you over the Internet by stealing your password they actually need to physically be in possession of your key too this makes your attack surface a whole lot smaller finding website support for secure key 2fa used to be really rare but today it's very common with almost all major platforms like Google Facebook Dropbox and GitHub supporting it as well as countless other websites using security keys on these platforms is actually really simple but people get confused because there are all kinds of complicated terms thrown around to do with the protocols themselves and the capabilities on the devices you're purchasing this doesn't have to be confusing because most of these terms you'll see actually have nothing to do with what we're talking about which is using a security key as a form of 2fa they're usually referring to a bunch of other authentication tools that are unrelated but also found inside some of the keys we'll be using so let's quickly explain some of the jargon and let you know which parts you can ignore one term you'll see a lot is Fido it stands for fast identity online The Fighter Alliance is an open industry Association that promotes authentication standards and interoperability across devices because there are a ton of ways that websites could secure user accounts the Fido Alliance creates standards so that the same tools and methods will work across various websites the Fido Alliance hosts a standard called Fido u2f sometimes just called utof which stands for Universal second Factor the u2f protocol is a technical name for the entire focus of this video it's a protocol that allows someone to add second Factor authentication to their online account using a security key 502 is another term that you might see 502 is an extension of u2f it contains this u2f capability that we're concerned about but the 502 spec also includes a whole bunch of other stuff that you can ignore for the purposes of this video Fido 2 is kind of a multi-factor Authentication Protocol that unlocks passwordless use cases terms like passwordless web auth and ctap2 they're all part of fido2 but the only part of 502 that we care about for security key 2fa is u2f now when we get to choosing Keys you'll see terms like smart card PIV open pgp OTP there's so many different capabilities in the ubiky it's kind of hard to explain that all of them live on the key at the same time can operate independently of each other and concurrently basically there are certain security keys on the market that include all kinds of different authentication tools again the only one we're concerned about for the purpose of this video is u2f so don't let all those other terms confuse you so now let's dive into the different models of security Keys you could choose from as mentioned there are all kinds of brands that you can choose from but we're going to focus on ubico products for this video as an easy way to get started one con of ubico is that their keys are closed source which limits the ability of the community to audit them we'll look at some open source options in future videos we basically offer three products we offer the yubikey a security key in the ubhs to be honest the security key model is the only product that you should be looking at if you're just getting started it's the cheapest and simplest and it doesn't include all the confusing bells and whistles of some of the other products the security key is your Fido authentication that includes Fido u2f the one protocol that we're interested in for this video the security key is targeted General entry level audience there are two security key options you can choose from depending on the device you'll be using it with USB a or USBC both of these also support NFC or near field communication which is what you'll use to authenticate when logging in on your phone you're able to Simply tap your key to the back of the phone and the phone is able to communicate wirelessly now let's look at the UB key model there are three different kinds of UV Keys the ubikey 5 series the ubikey fips series and the yubikey bio series these support all kinds of authentication tools that we're not covering PIV smart card open pgp tootp codes storing SSH Keys the list goes on ubk5 is the standard series that key supports all of our authentication capabilities in the one device they come in all shapes and sizes depending on what you're plugging the key into including the Nano which is a super small okay that you can just keep in your computer at all times and a lightning connector to plug into an iPhone what we have to do is make sure that the key works in as many places as possible so that you're never locked out next is the UB key bio Series this also includes all the other authentication tools that are outside of the scope of this video but as far as U2 F goes the protocol that we're concerned about instead of just touching the key to show your presence you actually need to provide the correct fingerprint which adds an extra layer of security there's also a PIN number authentication option for these devices so that we're not locking people out of their accounts just because they cut their finger while prepping dinner last night we want to make sure you can get in and it is secure the final type of ubk is the fips series fips stands for federal information processing standards and it's a set of Standards to be used for US government agencies and contractors the ubikey fips series is compliant with those standards the fips series is certified against fips 140-2 and it basically provides certification by an independent lab that the Yuba key does meet all these claims the final type of ubico product is called the ubhsm series which essentially is an Enterprise solution the ubhsm is a raw crypto device that we use for protecting secrets and building applications on it's definitely outside the scope of this video so to reiterate if you're just getting started and only interested in exploring using security Keys as 2fa on your accounts you'll want to focus on the security key product to end here are some really important tips and best practices for using these security keys for 2fa the very first thing you do is you go and enable security keys on your email accounts your email is often tied into the security of all your other accounts so you want to keep that as secure as possible this next do I have a password manager do I have a list of passwords let's protect that then take a look at things like Twitter Facebook accounts [Music] account and security key to fa on every account that supports it but for now ask yourself what's your biggest reputational risk what's your biggest Financial Risk and start with those places next how many keys should you get well you can use a single key as 2fa on unlimited accounts so you technically only need one key but I highly recommend you get at least two because if you lose your key you don't want to be locked out and be aware that you can't just make copies of your key after the fact and that is by Design if you're actually going to have a reliably secure system the second you start allowing for copies of the Fido credentials do I know for sure that it's this UB key registered to this person that's signing in so you have to add each additional key manually to your account and register that specific key anytime you register one you grab a backup and register a second one just do it right away most of the places that have implemented security Keys just let you add a new one you don't even have to disable your old one next what someone steals your key remember it's second Factor authentication someone would still have to know your password in order to access your account so taking the key isn't useful by itself if you do lose a key you can simply log into the accounts registered with that key and remove it from your list of approved devices and finally what if an account doesn't support security key 2fa well first write them an angry email asking why not joking not really if they don't support security key to fa enable totp codes and if they don't support totp codes either add whichever 2fa option they do allow any 2fa is better than none it's actually shocking to me that there are still websites that don't support these Keys especially government sites that mandate the we hand over all kinds of sensitive information and don't even give us an option to protect that data it's incredibly irresponsible and negligent most of these organizations have an obligation to support fishing resistance authentication but we can still take proactive steps to add robust Security on the websites that do support it start investing in your own Security in your own privacy and start understanding what it means to take control of your identity online

Info

Channel: NBTV, with Naomi Brockwell

Views: 100,664

Rating: undefined out of 5

Keywords: naomi, brockwell, bitcoin, cryptocurrency, Fiat, Bitcoingirl.org, btc, monetary, policy, currency, Bitcoin, Girl, crypto, blockchain, privacy, surveillance, naomi brockwell, nbtv, tech, nbtv.media, naomi privacy tips, yubico, yubikey, 2fa, 2 factor authentication, password

Id: UhANsAtvLN0

Channel Id: undefined

Length: 17min 42sec (1062 seconds)

Published: Sun Nov 20 2022