Yubikey Bio - Biometric Hardware Security Keys

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to crosstalk solutions my name's chris and today we're going to be taking a look at the new yubikey bio series of hardware security keys from yubiko now in this video we are going to be covering a whole bunch of stuff we're going to cover the two new models of yubikey bio keys that have just come out we're going to talk about which models of yubikey might be right for you we're going to enroll this bio key along with our fingerprint and show you how to do that in windows as well as with the ubico authenticator we're going to use the bio key to log into a 502 authenticated service and then finally we're going to talk about microsoft windows passwordless login all of that is going to be in this video and you can check down in the description for time codes if you want to jump around instead of watching the whole thing before we get started make sure you like and subscribe to crosstalk solutions if you haven't done so already it's absolutely free and really really helps out the channel when you do so the links for all products mentioned in this video will be down in the description below and there's also a link to buy me a beer if you want to do that okay so let's get started this right here is the yubikey bio and what you can see with this little black circle right in the middle here that is a thumb print reader and this thing is super super thin this is the usb type a model they also have a yubikey c bio right here which we're going to set up in this video and this one is the usb type c version now also notice that these say yubikey bio fido edition which means they might have other biometric editions coming out i'm not sure what that means like why would they specify fido edition if there weren't more editions on the way so we're going to talk about that towards the end of the video but first let's dig into the keys that they actually sent me so the usb type a version is the yubikey bio msrp on this product is eighty dollars per key then we have the ub key c bio this is the usb type c version msrp on this guy is eighty five dollars usd and looking at the product page for these keys we can see that they support fido 2 web often as well as u2f authentication they work out of the box with windows mac os chrome os linux chrome as well as the edge browser and they secure your accounts mostly with fido 2 by not only having to have the hardware key plugged in when you want to access whatever service or program you're trying to access but then you also need to provide a fingerprint so you know with the old-school ubi keys right so this is the yubikey 5 series now this is the version that i use most often the 5 series nfc this is a usb type a with nfc capability as well and while this does provide much better stronger authentication security than not having a security key it's still something where it's not biometric right you can just basically plug this in when asked for it and just touch the gold contact right here to say yes here is my key and i am touching it but if someone knows your password and they have your key they can still get in whereas with the biometric key they can know your password they can have your key but without your fingerprint they still cannot get in so it just adds that extra layer of security at the hardware level above and beyond any of the other yubikey devices that being said though that doesn't necessarily mean that the yubikey bio is right for you and i'm certainly not recommending that everyone go out and buy one what i would recommend is check what programs and services are compatible with the yubikey bio before you purchase and there's a very easy way to do that if we look at this page here it's the getting started with yubikey bio page this can be found at ub dot co slash bio and it tells you how to enroll your fingerprints and whatnot but if you scroll down here this shows you all of the applications that are fido2 compatible with this device and there's a lot of really popular ones on here google aws coinbase twitter facebook github right brave browser microsoft edge browser citrix right youtube there's just a ton of stuff that you can use the yubikey bio with today but there's also a lot of stuff that you can't so for instance if we look at these password managers like 1password and bitwarden are both compatible they both have 502 capability but like lastpass does not right so lastpass is just sort of the standard yubiko otp compatibility and in addition to that there is one piece of the puzzle where the yubikey 5 series definitely has the advantage and that is for your totp code so when i say totp that's time-based one-time password authentication the six-digit codes that you typically use with like a google authenticator or authenticator app on your smartphone these can also do those one-time passcodes using the yubico authenticator app whereas the one-time passcodes are not possible with this biometric device that means that with the biometric device you have to have this device for any of your fido 2 authentication such as google and microsoft and bitwarden and facebook whatever supports it according to this list but whatever doesn't support it you have to have a separate authenticator such as the google authenticator app installed on your smartphone device or you can carry around a separate ubico just for the totp codes and then have a different one for fido 2. right it starts getting a little bit a little bit crazy like i wish there was a way to have sort of an all-in-one key and that's something i'm going to talk about a little bit later towards the end of this video so bottom line is do your research before purchasing any of these hardware keys this yubikey bio i see as more of a key for organizations to help secure their employees with stronger biometric authentication whereas the yubikey 5 series i think is a much more general purpose hardware key that would work for you know a greater percentage of people than the biokey would okay so how do we enroll yubikey bio in windows let's do that now i'm going to open up for the first time this usb type c bio key and i have not done anything with this key yet so we're going to go ahead and stick it into my machine i'm going to try to do it with a usb type c to usb type a adapter i do have usbc on my computer but i have the usb type a right on the back of my keyboard so it makes it really easy when i'm trying to press a whole bunch of different fingers on this thing to read my fingerprint rather than having it down here under my desk and trying to do the same thing okay so let's try to do that there are a few different ways that you can do the fingerprint enrollments you can do it directly in windows 10 as long as you have version 1903 or higher and of course any version of windows 11 will do it for mac os linux chrome os you can use chrome 90 or later and you can do that the enrollment through chrome and then you can also do it with the desktop yubico authenticator so let me show you that first so here's the yubiko authenticator you want to make sure that you are on version 5.1 right here so yubiko authenticator 5.1 and then if i click on yubi key it says insert your yubikey let's go ahead and try it and we can see if the ubc bio fido edition and if i click here i can add a pin and then once you've added a pin you can start enrolling your fingerprints so this is how you do it through the ubico authenticator let me also show you how it's done through windows to do it in windows you want to go start and then click on settings then you want to click on accounts then you want to click on sign in options and now we have all of our various sign in options one of the sign in options again this is windows 10 version 1903 or higher so if you don't see security key here you probably need to update windows we're going to click on security key and we're going to say manage so it says touch your security key so i'm going to touch it and here we go now notice i can't enroll any fingerprints yet because i have not set a pin code on this device so first we need to add a security key pin and the pin code can be anywhere from 4 to 128 digits now to keep things simple i'm just going to do a four digit pin confirm that and then press ok and now i can enroll my fingerprints now when you go to enroll your fingerprints this device can store up to five fingerprints i would recommend doing some fingers from each hand the way that i do it is index finger on both hands and thumb on both hands and then you've got you know pretty much you're covering the bases right as long as you're using one of these four fingers you will be able to access the device so let's go ahead and say set up add in our pin and now we're going to repeatedly lift and rest your finger on the sensor until the setup is complete so let's go ahead and do that you can see that it's sort of adding in little fingerprint things there we go so use your fingerprint the next time you want to unlock your device let's add another finger this time i'm going to do my right thumb all right this time i will hold my keyboard up so you guys can kind of see what i'm doing here here's my ubico here i'm going to do my left thumb so we're just going tap tap tap tap tap usually takes about five or six taps let's do one final finger this is going to be my left index finger and here we can see it's reading it as i'm slowly tapping that finger there we go okay so i have now enrolled four fingers onto this ubi key as well as set a pin code so that's it the key is all set up if you wanted to reset it you can use this reset and it'll probably just ask you for your pin and then basically wipe the key of all information so let's go ahead and close this out and now let's actually use the key with a service so we're going to use it with github so if i'm logged into github i can come over here to my profile i can say settings then we can click on account security and then down here under two-factor authentication we have security keys and you can see i have four security keys authorized for github let's go ahead and click edit use security key and i can't use the one i'm about to enroll so i'm going to change this we're going to say security key and i need to find a different one so i'll use the usb type a bio key since i've already enrolled that with github i've plugged it in we're going to touch it and there we go so that is 502 authentication to get me into github now if i scroll down here we can see the four security keys that i already have added to my github account let's go ahead and register a new security key we're going to call this ubikey c bio and then we're going to say add okay so let's see making sure it's you okay so i had to add my windows hello pin code now we are going to set up my security key it says to set up your security key sign into github as chris crosstalk we're going to say okay and insert your security key into the usb port and then it says touch your security key so we're going to touch the key and there we go we've now added that key let's go ahead and log out of github sign out now we're going to sign in and we're going to say use security key to authenticate and we're going to click on security key down here touch your security key boom and we are logged in with our yubikey c bio biometric hardware key so really easy to get started when you have a fido 2 compatible service and any other service is going to be very very similar to the way that you saw me just set up the security key for github right there now let's talk about microsoft and let's talk about windows password list authentication because i think a lot of people might buy this key thinking hey what a great idea i can have a biometric login for windows but unfortunately it doesn't work with non-azure active directory windows clients or in other words it only works if you have an organization that is running microsoft azure active directory and your client that you're trying to log into is a member of that domain so that's great if you have a company that really wants to secure things down with a biometric hardware key then this will work if you're using azure active directory but what about for everyone else okay so ubico has a piece of software if you come to their web page and you choose products and you do computer login tools they have this right here so this is the yubico login for windows that you can download so this is for non-active directory clients but this does not use fido 2. this uses a challenge response protocol for security which means it does work with like the 5 series keys but it does not work with the fido 2 keys right it does not work with 502 authentication so you cannot use the yubico login for windows software with the new bio keys it's just totally incompatible with the type of security that those keys facilitate so microsoft also doesn't have any level of fido 2 support for local accounts on a computer so non-active directory domain accounts on windows and windows hello only works with computers that have a tpm chip tpm being trusted platform module or essentially for oem manufacturers like dell and hp they've worked out deals with microsoft to have an extra chip put into say like a laptop where when you open that laptop they know that it's trusted hardware and so then you can use windows hello for like the facial recognition or a fingerprint reader or something like that but windows hello does not allow for external authenticators at all it only works with that tpm chip now this all may change in the future if windows hello does end up working with external authenticators or if you know microsoft adds 502 authentication to local accounts in windows you know who knows what the future holds interestingly enough though microsoft does allow for 502 authentication with their normal microsoft accounts so like if you log into account.microsoft.com to manage your own microsoft account and you click on security oh look it's asking me so it's asking me for a key like if i have so i have the usb c biokey plugged in which is not enrolled with microsoft so if i try it touch your security key up security key does not look familiar please try a different one so let me change this out i will put in my usb type a bio key and then when i touch that one it does work just fine okay so inside microsoft account security if i click on advanced security options here we have all of the different security keys so if i want to add a new one add a new way to sign or verify we're going to add a new security key let me plug in the correct key here and we're going to say next okay okay touch your security key and now we can give it a name ubiquity c bio next and got it so again it does work so fido 2 authentication does work with your microsoft account it just doesn't work with microsoft hello at least not yet so when i talk about choosing the right key for you this is what i'm talking about right so fido 2 is not as widely adopted as i would like it to be yet so if you want a more well-rounded versatile hardware security key which i definitely recommend ubi keys but the yubikey 5 series today to me is the better value just because it is more versatile however for organizations that are trying to provide better security for like active directory login or if you have specific applications that are 502 compatible the biokey is a higher level of security so it's the old trade-off right it's ease of use versus higher security right and so take a look at both and figure out which one is going to be right for you and you might be saying chris well gosh if they would just integrate totp codes into this yubikey bio it would be a perfect key and i agree with you like i think that's exactly correct but you know think about it this way right the the form factor on these things are they're so thin that you can't really cram a lot of extra stuff in here right this has extra hardware to handle the otp codes the bio key has extra hardware to handle the fingerprint reading right so what they would have to do is essentially you know stack two of these on top of each other and make a yubi key that's like twice as thick in order to get additional hardware inside this tiny little device and so i guess my question is like would you the viewer buy one of these ubi keys if it had the biometrics if it was all-encompassing with totp capability but it was a little bit thicker than this tiny little form factor that they have is that something that you would be interested in buying let me know down in the comments below okay so that's going to do it for my look at the yubikey bio series again links to all the products that i talked about are below those are affiliate links if you click on those links we get a couple of bucks for the referral but it does not change your price at all and we certainly appreciate any referrals that we get okay if you guys enjoyed this video make sure you give me a thumbs up and if you'd like to see more videos like this please click subscribe my name is chris with crosstalk solutions and thank you so much for watching [Music] you

Info

Channel: Crosstalk Solutions

Views: 62,448

Rating: undefined out of 5

Keywords: Yubikey Bio, crosstalk, crosstalk solutions, yubikey bio series, yubikey bio 2021, yubikey bio review, yubikey biometric, yubikey bio windows hello, yubikey bio setup, yubikey bio vs yubikey 5, yubikey bio android, yubikey bio series - fido edition, yubikey bio reveiw, yubico, biometric, biometric security, hardware security keys

Id: 0XA521kyNco

Channel Id: undefined

Length: 19min 57sec (1197 seconds)

Published: Thu Oct 28 2021