Yubikey 5 - a Hardware 2FA - Is it Useful? - Review

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today I'm gonna talk about a Yubikey v this is a hardware Authenticator which is used for logging in and for two-factor authentication coming up next [Music] the question that I will answer in this video is if this Yubikey gives me one more convenience with logging in and two gives me more online safety the answer will be it depends on your use it works nicely in many cases it's very inconvenient in other cases it will vary based on the kind of devices you have I will get to that later today two-factor authentication meaning a second method of verifying your identity is mostly done by text verification or by e-mail verification you're being forced to do two fa and that's the shortened version for two-factor authentication by social media apps Google accounts Microsoft accounts this is pretty much a common affair Rivera file your identity via email or text sometimes this is also done using apps such as Google Authenticator or an app called of--they I can talk about these software options another time because you can use them as well some apps and websites have more secure transaction requirements in my case I use Amazon Web Services and some financial websites these websites require a 2fa verification every time I log in which is really tedious but that's not the only reason - you saw a hardware Authenticator I have a serious problem giving out my phone number to every app out there the reason is that it is used as an identifier I'm already angry at security apps like telegram what's app and signal they'd use a phone number as an identifier your identities can be connected on social media to your real identity just the phone number so A to F a using a Yubikey means you don't have to give your phone number out in theory the main reason for requiring 2fa is because you can be a target of a man-in-the-middle attack someone could have read your user name and password or a short-term token that allows them to access your account by rivera fiying your identity through a channel that the hacker doesn't see then an attack can be stopped this is why the text and email are used they're not part of the website traffic unfortunately even these can be beaten although it's more difficult and of course there's the inconvenience factor so now there's a hardware solution Yubikey is the most popular of these Hardware authenticators and and I have one and I've been using it for about a month and I'll give you my review of this device it's a bit of a background hardware authentication standards are constantly evolving so there's a lot of issues with compatibility device models change and it may be that you have to buy another model device in a year because that's how fast the standards are changing this particular Yubikey cost me around $50 there are two specific uses for this Yubikey one it's used for 2fa two-factor authentication - it can also give you static passwords and I will tell you how it can be useful for each so the first use of this device is as a 2fa there are several standards to think about if you compare devices on Amazon for example you will see support for Fido - Fido OTP which means one-time passwords and there are different versions of that now this is very important and one of the advantages of Yubikey pretty much all the standards are supported by the new Yubikey 5 version this Yubikey 5 ports 2fa for example on a Mac OS so Mac OS X you can use it as a two-factor for logging into your computer but it's not logging free it's just a second factor authentication so even if somebody knows your password on the computer they can't log in by itself with a password they have to use the key it can also be used with File Vault on Mac OS X for file encryption again the encryption will be based on the data that's on the key now Windows doesn't have support for this they had support for an older version and that version is no longer going to be continued so at the moment Windows doesn't have any way of doing two-factor authentication on login using Windows hello but it can be used for Microsoft accounts for Xbox office login anything Microsoft account based it doesn't require any login at all in fact all you have to do is press this and you can get into your Microsoft account now as far as apps that support Yubikey I'll give you some examples of some common apps and websites that use Yubikey for two-factor authentication again this is not login free you still have to login this simply prevents the need for sending you a text message or an email saying please confirm your identity and it works for Twitter it works for Facebook it works for Instagram it works on Dropbox and it doesn't work on Amazon store it work but it works for Amazon Web Services it works for anything Google Google accounts YouTube and so on now let me talk specifically about using this for your password managers and I tested this with two password managers specifically LastPass and KeePass now as a second factor authentication meaning it would require a master password and then this is a second way of verifying this will work with LastPass only if you have the premium accounts if you have the free account of LastPass it's not going to work with two-factor authentication but it will work with the master password which I will talk about later second you have key pass now key pass does work with two FA using a Yubikey however when you're talking about key pass there really two products here the main key pass itself is for storing your passwords and you need there's extensions to use in your browser C because of the separation of the products it's actually pretty difficult to use this to FA with various other plugins that you can use with key pass some key passes a little bit complex however just like LastPass you can use this for the master password and I will talk about that later this is not part of two FA to have faced a separate process now there are many more sites supported but this is a quick list you can go to the web site at UB Co and you can see what what other websites are supported now the Ubik the Yubikey comes in several form factors this is one form factor it's called a nano this is a Yubikey five nano this one is made to be inserted in your computer and you can't really have anything sticking out with this it's made to to stay there fairly permanently or semi-permanently then you have the other option which is an NFC based one which is a combination of plugging it into the USB and an NFC for use with a phone near-field that's what NFC means and there's another version of that and this which is a USB see version this one is USB a now this is where the greatest inconvenience lies when you register a device for 2fa with an app or website you basically register a specific Yubikey device meaning one unit so if you're going to use the Yubikey on your windows computer that has a USB a and its semi-permanently plugged in there like the Nano here it's not going to work with another computer that's only using USB C like a new MacBook this is particularly significant issue for me since I use several computers so it prevents me from switching computers you can only register one Yubikey with each website you cannot use a converter to move the Yubikey around to a USB a or USB C you have to pick one form factor when you buy it in advance and the one that I have is two USB a version if you want to use it with a phone then you'll need the one with an NFC like the one shown here you have to unplug it from your computer to log in to your phone I know this is technically difficult but it would have been more convenient if you could sync two or three of these Yubikey so you don't have to unplug replug for short-term use now if you're in an office with other people and our that are in your area this could also be tedious because if you go to the bathroom in theory you should unplug the device and take it with you and sometimes you need it to use with a phone and you're not next to your computer like when you're out to lunch but there are other ways around to solve that I always have a timeout Laureen on my computer so you have to re-enter the password when it goes to screensaver mode so there's no need for me to necessarily remove the device from the computer but I'm forced to because there's only one key to use that I can use with my phone by the way an inaccuracy and some of the other reviews I've seen some people say you need multiple ub keys in case you lose one and you lose access to an app or website pretty much all the sites I've seen switched to phone or e-mail verification if you don't have the Yubikey presence so if you lose it unregistered the old device and buy a new one I don't see the need to necessarily purchase multiple ub keys advanced though I'm still concerned about leaving an option for text verification with my phone number on these devices as an alternate maybe you still need a burner phone or a special phone number in case you have to do two-factor authentication in those cases without using your normal phone number for those wondering how the Yubikey actually works with your computer when you tap on the metal portion of this device what it really does is it acts like a keyboard driver and when you tap on it it actually types out a password that it then is received by the website that's why it's quite compatible because it's very simple it's just like typing in a keyboard manually because of the inconvenience of using the Yubikey on phone logins I decided that for now I will use it only for apps that I frequently need to use on a computer and I don't need the convenience of 2fa for social media apps for so mine is plugged in directly on the computer at all times unless I leave then I can take it away with me this limits my use of it since it can be used for multiple to a phase only if I use it on the phone and the website simultaneously I'm bothered by the form factor of the NFC version as well it looks flimsy to me if my computer hits something I can imagine that portion that's sticking out snagging and breaking that's why I hate dongle says check out this is one of the reasons I chose to nano version this one since it can't get damaged in that manner maybe if you beaky sends me the NFC version for review I will reconsider this now here comes to use that really helps me on my computer this is the use of the device as a static password this means I just tap into it to log on with a fixed password depending on where I want to use this fixed password on now remember a static fixed password is not connected to 2fa but it does offer some productivity benefits my primary use of it is for my password manager as the masterpath bird I tried it both on LastPass and keepass when I'm prompted for my master password I used the Yubikey as my master password I tap on the Yubikey and it fills out a fixed password for me that's 32 digits long you can use the same password in other places too and that adds to the other convenience it's no different than typing it in manually but if you use it with a password manager it simplifies remembering passwords and the use of the password manager and you can still take this away with you so then no one can know your password now how do you make the Yubikey give out a static password versus a 2f a password well it turns out you can program the Yubikey using something called a Yubikey personalization tool which you download from the yubico site then the device has two modes if you touch the device for a short period like no longer than 1.5 seconds it operates as mode 1 to FA for example if I hold it down longer for 2 seconds or longer it switches to mode 2 which in this case is my fixed password so it's pretty convenient and that alone makes it worth it especially for using it with my password manager and the personal donation tool is not easy to use by any means and it is complicated to understand but once you figure it out you can reset the auto-generated password as often as you want you can set it with your own manually chosen password though the interface is so bad and buggy that I haven't figured out how to do that so I use the auto generated password so to summarize the Yubikey has two practical uses as a hardware 2fa device which can add to your privacy instead of using a phone number and it's also much safer than texting and email both of which can still be hacked number two it's very convenient as a hardware fixed password device which is a time saver and allows for a single finger login on a computer now I have a wishlist to make this more usable number one I wish I had the ability to multiple UB keys both as a backup and for the convenience of mobile number two perhaps they should provide us with a device that can switch to both USB a and USB C form factors to allow me to use it on multiple devices with one key or some sort of an adapter I can understand why for security reasons you may not want to give access to a common commercial USB a/c converter but they could make one for us number three it would really be great if the device can store more than one fixed password then it could really create a shortcut for day to day use number four another possibility is if website supported multiple to FA hardware devices or even using Google Authenticator as a backup that would be great then we don't have to worry about losing these most don't they only support one I would really be happier if we moved away from requiring emails and phones as verification methods as you will hear from my other videos email is very unsafe in summary I think with the two uses I just gave it's very usable for two purposes that I gave today as time goes by this could potentially go from occasional use to indispensable use in the future it could be a big help to Internet privacy since since it can allow us to keep our phone number or even email private I'll put a link out in the description for you if you want to check out the device on Amazon as always if you like my content please subscribe to my channel and click on that notification bell [Music]

Info

Channel: Rob Braxman Tech

Views: 100,669

Rating: undefined out of 5

Keywords: two factor authentication, security key, yubico key, yubikey review, yubikey 5, 2fa, 2 factor authentication, usb security key, yubikey 5 nfc, yubikey nano, internet privacy, internet privacy guy, internet privacy and security, anonymous official, fido, fido2, otp, hardware 2fa, fido u2f, yubico security key, yubikey 2fa, yubikey 5 review, review, yubikey, internet privacy tips, internet privacy 2019, cyber security, cyber security jobs, cyber security jobs salary, hak5

Id: 7T_LMN4OWXo

Channel Id: undefined

Length: 17min 30sec (1050 seconds)

Published: Wed Apr 03 2019