You Should Be Using Yubikeys!

I bought my first set of ubi keys in 2018. These are the yubikey 5 nfc model that I still use today. I originally bought them to try them out for a video, but honestly, I didn't really know exactly how they worked. how they were different from the Google authenticator app I was already

using

and whether or not it would be a good idea to switch to a hardware key instead of the software authenticator app because of that learning curve, the original ybikey 5 NFC that I bought sat on my desk collecting dust for over a year, then I was contacted by a yubiko engineer who was a fan of the channel and heard me mention on a live stream that he had these keys unused and wanted to educate me on how they work.

I worked after meeting him and learning a lot about how these hardware keys work. I finally made the switch from Google authenticator to Yubikey and haven't looked back. I love this solution, one of the main reasons I love Ubi keys. It's actually quite surprising since it has nothing to do with security, it's that they are faster to use than authenticator apps on your smartphone, but before we get into all that, let's cover the basics: what the heck is a ubi key and why you

should

do it. Using one in this video we will talk about what ub keys are and show examples of how to configure and use uv keys for multiple different types of two factor authentication and discuss why ubi keys are superior to authenticator apps in many ways If you are interested in jumping to various points in the video, check the description to get full time codes for the various topics and if you are interested in this type of content, make sure you subscribe to Crosstalk Solutions and also follow us on Twitter at CrossTalk Sol and if this video makes you realize that you would be crazy not to start

using

yubi keys, i would appreciate it if you click on the yubikey link below, this is an affiliate link. which gives me a few dollars for the referral but doesn't change your price at all and while I love that yubiko offered to sign me up for their affiliate program, I actually purchased and started using yubi keys long before that happen, so my opinions were not altered by the millions and millions of dollars I will get in affiliate income.

I'm just kidding of course, it's really not much but I appreciate all the affiliate sales I get so let's get started, what exactly is it? They are ubi keys, well uv keys are basically hardware security keys created by a company called yubico. These security keys connect to your computer or smartphone in several ways. This is a USB type A, for example, I have another one here. This is the ybikey 5. ci which has lightning on one side and usb type c on the other side, this ybikey 5 nfc is also wireless so you can do the nfc which i think is near field communication, yes I remember correctly, anyway you can NFC this on your smartphone.

Help ub keys facilitate two-factor authentication or 2fa for short, two-factor authentication is a method of confirming someone's identity beyond simply knowing the username and password to enter a website or service or another account. 2fa can be achieved in several ways, but usually we are talking about something you have and something you know, for example, when you go to the bank to withdraw money from the ATM, you are using two-factor authentication, you have something you know correctly: your PIN code or your password and If you have something that is your bank card, you never want to have just one password on your bank account because anyone who knows your PIN code or your password could just walk up to the ATM and take money out of your account.

It doesn't make much sense, the same goes for all your online accounts, whenever possible. You

should

protect your accounts with 2fa. Username and password are always a piece of the puzzle and should definitely follow best practices, such as not using the same. Password across multiple accounts Make sure your passwords are not easy to guess Follow strong password guidelines, etc. Password managers like lastpass or one password make the process of managing unique and strong passwords much easier, so passwords are a part of 2fa authentication, which is something you know, but as for On the other hand, something you have can be achieved in many different ways, most of the time it will be in the form of a one-time passcode and one way to do it is with SMS, but with two-factor authentication over SMS. is not very secure and has been shown to be susceptible to compromise, plus SMS two-factor authentication requires network connectivity or, if you know that SMS connectivity is working properly, a better method is to use an authenticator app on your smartphone or desktop computer that can produce OTP. codes or also known as totp codes time based one time password is what totp means.

The downside to authenticator apps is that while these apps are usually free, they require a mobile device, which as you know is not the biggest deal since most people have a smartphone nowadays, But for businesses there are logistical and administrative issues related to supporting authentication apps on any smartphone devices their employees may have, not to mention the gray area of ​​requiring their employees to install business apps on their personal cell phones as well. Imagine standardizing your company on Google Authenticator, for example, and then having to support all your employees every time they buy a new device and need to migrate their 2fa codes to that new phone, the cost in terms of administration can be quite high if decides to do it. that route and yes there are some authenticators like twilio's offi that have multi device support but even with multi device support as an IT admin you still need to support those multiple devices and many security experts argue that having tokens on multiple devices is Risky, I mean it defeats the purpose of something you have if you have multiple copies of your OTP tokens.

Imagine that if you had 10 ATM cards to access your bank account, the chances of you losing one of those cards are higher. cards if you have a ton of them and on top of all that, what happens if your phone battery dies in the middle of the day? So by standardizing hardware security keys, your IT administrative costs are greatly reduced, right? They are easy for your employees to use while providing much better security options than authenticator apps. They don't rely on network connectivity to function and don't have a battery that can die, so as a drop-in replacement for authenticator apps, ubqs are great.

I have an authenticator app for Windows, Mac, OS, Linux, Android, and iOS, and as a bonus, the workflow for using Yubico's authenticator is actually faster than using something like Google's authenticator. Let's go over both methods and hopefully you'll see what I'm talking about. First we will start with the Google authenticator, a website will ask you to enter your 2fa code. Now you have to take out your smartphone, unlock it, search for the Google authenticator app, open the app, find the matching 2fa account you need, and then enter the code manually. hoping you don't misspell it, if you're authenticating from your smartphone to a website on your desktop, there's no copy and paste there, you have to enter the code before it expires or you'll have to enter it again. now let's see the process for ubi keys.

I personally keep the ub key sticking out of the USB port on my keyboard which means it's always close to my hands so first I get asked for the 2fa code from a website so I open the yubico authenticator which is normally already open on my desk. I find the code I want. Double click on it. I tap the touchpoint on my ubi key and then my code is automatically copied to my clipboard and I can paste it into the 2fa field. This may not seem like a big difference, but trust me, it probably cuts 25 to 50 percent off the time it takes to enter a 2fa code each time, if you're constantly prompted for 2fa codes like me, this method is a lot more. efficient than smartphone-based authenticator apps, so now we know that ub keys can be used as a faster and more efficient drop-in replacement for authenticator apps, but they are much more than that, so we start from here to address all new standards for user authentication.

Now, I'm by no means an expert on all the different online authentication standards and methods and I'm sure there are arguments in favor of many of these different types, but some of the most promising new standards for secure authentication come from the fido alliance fido stands for quick online identification fido alliance was originally founded by paypal lenovo and several other companies with the goal of working towards a secure passwordless authentication protocol. Later big names like google microsoft and samsung also joined the alliance yubico has been a big part of this alliance too, the fido alliance has come up with some different standards.

The first is fido uaf, which is seen quite frequently on smartphones, so iPhones for example allow you to log into the phone and some apps with a facial or digital scan. There is also fido utf, which is probably the most common method of using

yubikeys

to log into websites. fido utf is where a website relies on your existing username and password authentication by also adding local device authentication or in other words with fido u2f you log in. You enter a website normally with your username and password and are then asked for a second form of identification, such as touching the touch point on your UB key that is connected to your computer.

I'm going to show some examples of fido utf logins in just a little bit finally we have fido 2 so 502 is the latest fido alliance specification. Now, the 10,000 foot view of Fido 2 is that it uses two main components, CTAP and Web, which, honestly, I'm not an expert on. I'm not even sure if I'm pronouncing web correctly, it means web authentication, so use ctap and web offense together to enable authentication. ctap stands for client to authenticator protocol and regulates the connection between the user's device and the authenticator device, whether the authenticator is biometric or something like a ubi key.

It establishes a set of rules for how those devices communicate with your PC, laptop, or smartphone. The web is often the other piece of the 502 puzzle and determines the rules for how your browser performs authentication. from ctap and then uses it to log in to whatever website or service you are trying to log into, to make it as simple as possible, fido 2 is made up of ctap and web, often ctap uses your ubikey or other authenticator to authenticate on your computer or other device and then the web often takes that authentication from your browser and uses it to securely log in to your destination.

The general point of all this technical jargon is that Fido standards are a much deeper and more secure authentication method than one. One-time passcodes Ubi keys can create one-time passcodes just like authenticator apps, but they can also achieve these more secure methods of user authentication that authenticator apps can't do or, in In other words, if you are only using one-time passcodes for your 2fa you are missing out on these faster and more secure authentication methods, now hundreds of companies have adopted phyto authentication and can work with ub keys. You can check out the yubi key catalog online to explore all these different companies, like like 1password lastpass citrix github google twitter dropbox and vulture, okay, so enough of the sales pitches.

I hope I've given you enough so you know now that 2fa should be used whenever possible and hopefully now everyone understands that ub keys go way above and beyond what authenticator apps can do, let's look at ub keys in action. Our first example is a standard totp login. I'm doing this with intuit Quickbooks, so we'll first log into Quickbooks with Lastpass. You can see what I have. The yubico authenticator is already open on the side, so now I'm asked for my six-digit totp code. Now look at the yubico authenticator. One of the things that is really nice about the ubico authenticator is that all the codes are not displayed until you duplicate click on them and authenticate successfully, so you really shouldhave the key and you have to press the key for the code to actually display, but once it displays, as soon as you tap the ubi key, it is copied directly to your clipboard and you can just paste it. it's okay inside so for example we have quickbooks double click it says touch your ubikey touch and now we have the code and I can go paste continue and I'm already logged in so let's take a quick look at the ubico authenticator uh, this is a good authentication app, the only kind of problem I have with it and why I prefer Google Authenticator is that you see that there are little stars here next to these elements, so, like ubiquity networks, they sense the quick books, those are favorites, so basically, if you check something off, it's going to go to the top of your list, but what I would prefer is the ability to organize your list in any order you want.

It sounds like it wouldn't be too difficult to program and it would be much better if you could know specifically. I put things in the order I like and here we can see the yubico authenticator on my phone. Now it doesn't have anything listed here right now because my ub key is not near the phone or plugged in, but again you. I have a couple of options here, you have the Lightning version or it also has USB type C, so for example I can plug in the Lightning version and there we go, my codes appear on the screen and then I can do the same thing. just you know click on any of these codes touch the yubikey contact and then that code is displayed.

This also works with nfc as you can see it says drop down to update or activate nfc so I go to drop down and it says scan your ybikey we just put it back and now all our codes are shown again so these uv keys can do the totp passwords no problem, but now let's look at a little bit deeper authentication with utf, okay, so utf remember that's where you have a username and a password. log in with that information and then instead of a one-time code you have specifically set up your ub key as an authorized mechanism for authentication, so the ubik needs to be connected to your computer and then you can authenticate, so here's dropbox now dropbox does u2f so we can see I have my information pre-populated from lastpass we're going to click sign in and now I'm asked for my PIN okay so we make sure it's you enter your PIN of security.

Now you don't have to put a PIN in your UB key. I choose to do this because you know that the more layers of security there are, the better, so I'm going to enter my PIN first. I'm going to say "Okay" and now he says "You play." security key boom and now I'm logged into Dropbox here's another example this is vulture so let's go ahead and log into vulture here so first I'll take the lastpass password and log in and once again I'll look for two-factor authentication, enter the code generated by your mobile app, your security key, in this case it's a little different, you actually have to press and hold the contact for a second and a full string of characters will be displayed on the screen of the authentication code, but Again, I didn't actually have to click authenticate as soon as those characters were entered, I automatically signed up directly to Vulture, okay, one more example, this is github and I think this is a web, often a type of authentication we're going to go to. go ahead and sign in to github and now we see the security key go ahead and use the security key so here we say make sure it's you tap on your security key and now sign in so now I know it's They die to have it in their hands. these ubi keys and go ahead and make sure to use my link below if you are going to purchase any and how do you set it up initially?

Well luckily I have a new ybikey 5ci clear ready to go. These clear models were actually a special edition of these uv keys, I don't remember if they are still available or not, but I didn't see them on the website anymore, so they may not be there anymore, so I have the ubico authenticator installed and what are we going for? what you need to do here is click on the three dots in the top left corner, it says: insert your ub key as i don't have usbc on the back of my keyboard. I have a usbc to usb type, an adapter for the ubc uh ub 5ci key. let's connect it to my keyboard and it found my yubi key5ci, it found the serial number, if I want, I can set a password on this ub key and then we have some application options basically, like light or dark mode. mode uh you know if you want to be the yubico authenticator it shows up in the systray you know stuff like that we can also remove all the passwords from the key if we want so if I come back now we have our key set up and that's it what to do, now it's ready to go, we're ready to receive totp or u2f or 502 auth keys now, so let's go ahead and set one up and I'll just reset one of my own totp 2fa keys.

I'm going to reset ubiquity, so I clicked, I went to account.ui.com, I clicked on security and I have two-factor authentication enabled, so first we're going to disable two-factor authentication and to disable it, of course . wants to know what our totp code is so let's enter that first and now 2fa is disabled for my ubiquity account so let's go ahead and enable two factor authentication. I have my new ybikey 5ci connected to my keyboard on USB. type a slot we are going to enable two factor and this is what we normally see we say enable two factor authentication we get a QR code and then you might have some backup codes and it will also ask you for the totp token just to make sure that everything is set up correctly now the nice thing about the yubiquity authenticator is that it can detect qr codes right from the screen so when I click add boom it already found the ubiquity network account name and then all we have to do, you can check or uncheck, which requires having to touch the key to enter.

You know, you need to show your code and we're going to click Add. Now I have a ubiquity networking code. I can double click on it, tap my key and then paste it. on submit and 2fa is now activated of course here are the correct backup codes so if you need backup codes for any of your 2fa I recommend generating backup codes and downloading them most 2fa I have seen They have the ability to do the backup codes they always keep your backup codes in a nice safe place so setup is very simple, but the one thing I've heard from a lot of people and probably the biggest question I had when I started looking in

yubikeys

is What happens if you lose your password?

So if you lose your two-factor authentication key, you're basically screwed. You need to check your backup codes or find other ways to get back into your accounts. It will be a real hassle. Please note that even though you have the same problem with Google authenticator, what if you lose your cell phone that has all your Google authenticator codes? Same thing, again, you could use something like authy which allows you to have support for multiple devices, but for ubi keys, how do we get the same codes on multiple keys? So here I am on ubiquity again, we're going to disable two factor authentication once again and I'm going to show how to configure it manually so you can put these totp codes in more than one ubi key?

Ok, I have disabled two-factor authentication. Now let's go ahead and enable it once again. Look here for the secret code, so anytime. are you doing 2fa, I won't say it at any point because I don't know if it's 100, but most of the time when you are doing 2fa and you are setting these totp codes, there will be a qr code and there will also be a way to set it manually or you will have something like this that says secret key or secret code, something like that, so to do it manually, now let's go ahead and grab this code. copy it, I'm going to open up the yubico authenticator, I'm going to delete the one I already have here and we're going to add a new one.

Now I have this QR code on the screen, so if I click add it will be done automatically, you know, take that QR code, so I actually want to minimize this screen, let's go back, minimize the screen and then click add, this time it will not be added automatically. detect the qr code since it's not actually displayed on the screen, but instead of saying scan or show the qr code, I'm going to click on manual, so for the issuer I'll just say the name of the ubiquity account, just I'm going to say ubiquiti and then I'm going to paste that security key that I manually took from the 2fa setup on the ubiquiti website and we're going to click add so there we go I have it set up but now I'm going to take my ub key off the computer and I'm going to put a different uv key so my different yubiquity already removed ubiquity from this one let's add again a second manual the same ubiquity ubiquity paste the key secret and add and now we can see that ubiquity is in two ub keys, so my totp code is in two ub keys.

Now what I like to do is I have my main ub key here and I keep this one on my keychain and the other one, like this. every time i'm setting up a new totp 2fa i do it in both places and then save my second one in my safe. I have a safe in my closet in my master bedroom, that's where I keep this other key. nice and safe so if I ever need it I'll have it like if I ever lose this one but for good measure if I lose this I also have a tile so I was really worried about losing this. ultraviolet key when I first bought it, so the mosaic is a good way to find your things if you lost them, like I have a mosaic on my bike in case someone steals it for example, so this mosaic allows me to do it through my phone not only locate the mosaic on the GPS but if I want and need to locate it like this it literally happened two nights ago and I couldn't find my keys I had left them somewhere strange and I didn't know where I put them .

I needed my yubikey to log into something so I went into the tile and then I just clicked search next to where it says keys and then it makes this little noise, you know, cute, you can also do it the other way around if you lose your cell phone . and you have your tile, you can double click on the tile and your cell phone will work fine and your cell phone will start ringing even if the cell phone is on silent mode like it is now because I am recording a very nice video. solution and just kind of icing on the cake to make sure you don't lose your yubi keys.

Well, by the way, I had two Yubikey 5 NFCs. I lost one. I lost the one that's not on this keychain when I moved to this new house I still have to find it, I don't know where it goes and I even have this super cool skin. You can see I have the geode skin on this Yubi key and I have this other super cool skin for my other yubikey 5 nfc but I lost with the second one I don't know where it is I'm sure it will appear one day it's probably in a box in somewhere I haven't unpacked yet, but if you lose a ubi key you can have a backup and you can use something like tile.

I recommend using something like tiling to make sure you can always locate it. This is how you properly configure totp, but how do you actually configure a u2f? authentication type well let's look at Dropbox so here I have my Dropbox account and if we look at the security keys we can see I have two keys so if I click edit we can see I have a ubi5 nfc key and a ubi 5ci key so what I can do here is go ahead and delete both keys and now even though I have deleted both ub keys from my Dropbox account I can still use totp to log in to Dropbox as if I only had the google authenticator , that's my only option, but I don't want to use just totp.

I want to use the highest level and easiest way to know password authentication when a website allows it, so like I said, Dropbox allows it. I do u2f, let's go ahead and configure it, so I already configured the authenticator. Now let's add our security keys. We're going to click Add and it says Add Security Key. A security key allows you to complete two-step verification securely. and conveniently, when you log in to Dropbox, we will say start setup and then we will enter our password and now we will connect our security key, click on the inserted key and scan. here we go making sure you are the one who sets your security key to sign in to Dropbox as my email address this request comes from Chrome published by google llc tap your security key we tap it allow this site to see your security key yes and key added so now we're going to say yubikey 5 ci and we're going to click finish now we can see I have a key let's go ahead and add a second key so again this is where a lot of sites I've seen will allow you to. to make up to five keys, soremember with totp it was a manual process where we had to go through and set each key individually, we had to set those timecodes on each key, we couldn't use the qr method, we had to do the manual method to set them with utf.

There is an advantage that utf is already created for multiple keys in most cases, so now let's edit and add a new key to start the setup. I already have my new password connected. We are going to enter our password next, okay, start by inserting the security key, it is already inserted. Okay, enter the pin of your security key correctly, so this key has a pin for utf, while I haven't set a pin on that one yet, so there we are. We're going to enter our pin and click OK, tap on your security key, allow it and then we're going to name it ub key 5 nfc and we're all done now, so if I go back to my keys and click edit here, we can see which I have my two separate keys all set up let's go ahead and log out and we'll log back in there we'll make sure you enter your PIN okay tap your key and now we log in next a little bit of questions I had put . a question on twitter telling people I'm making a video about yubi keys and what questions people have and some people asked about windows login.

Can you use a Yubi key to log into Windows? The answer is yes, you can. There are many different ways to do it and if you look at this web page here, this is the way to protect data with secure access to computers. Well, this talks about how you can use apps or log in natively in Windows, depending on how you really are. log in, so the first one is local accounts, so this is if you have Windows Hello or just a local account on your laptop or something, something that's not connected to active directory, they have something called app login yubico, so you install yubico. log in and that allows you to securely log in with your ub key to a local computer account in Windows now, if you have Active Directory, there are two types of Active Directory, you have Azure Active Directory, which is like the newer flavor, so Azure Active Directory supports fido 2. so you can do passwordless authentication on windows on azure active directory using fido 2 with your yubi keyIf you want, I wouldn't recommend making password lists because then anyone you know who has your ub key you can just plug it in and go, so what I would recommend is ub keys with a pin code to be able to log into Azure. active directory if you are using old school active directory you can also set up yubi keys to log in using the built in smart card functionality and finally you can also set it up for Microsoft accounts or use your Microsoft account to log in to Windows if you put yubikey uh 2fa security security on your Microsoft account, it will also ask you for your ub key right when you log in to your computer with an account connected to Hotmail or whatever you know, Microsoft account, they also have smart card authentication for macs and again, I'll put a link to this page below in the description if you want to check it out.

Another common question was will ubi key work with any site that offers totp right so time based one time password authentication and the answer is yes that's fine I have yet to find a site that not work. It works exactly the same as Google Authenticator or Offi or any of the other OTP apps out there and you can store up to 32 totp. keys on a single ubi key and that might be a limiting factor for some people, but I activated 2fa wherever I can and I have less than 20 uh accounts on my ub key, plus you also have fido 502 and fido. utf keys where you can store up to 25 of them, so for me I use utf with dropbox, I use it for lastpass, I use it for vulture, I think there are a couple more too that I can't remember but you have sort of separate stores for your one-time passwords versus your Fido-based passwords.

Ok, what about the different types of ubi keys available now? As for ubi keys, there are a few different kinds of Yubi keys, there is one like the other. the ones that are specifically for security, there are others that are geared towards other things besides totp passwords and fido passwords, but here's their lineup, so you have the uv 5 nfc key, that's this one I have on my keychain. You have the Yubikey 5 nano, which is basically the Yubikey 5 NFC, but in a very small form factor they have the Yubikey 5c, which is the same thing but it's just a USB Type C connector, then you have the 5c nano, which is very tiny. . little one, you have the yubikey 5ci, which is this transparent one that I have here again.

I don't think the clear ones are available anymore but this is a lightning bolt on one side for your iphone or ipad and then a usb type c on the other side and finally the newest member is the yubikey 5c nfc which is basically like my USB type a nfc ub key but it is a usb type c plus nfc so you can do the proximity authentication that you know on your iPhone or Android. There you have it, it's my overview of the yubico ubi line of keys. I love these things. I'm not going to stop using them mainly because I love phytoauthentication and in fact I try to set it up whenever I can.

I wish more and more websites would start adopting phytoauthentication so you can use these keys a little easier than even doing totp one-time password authentication. If you have questions about uv keys, please write them in the comments below. I'll try. To get the best answers, I can again, I'm not an expert, but I know some experts and I hope they can help answer any questions you guys have. If you use Yubi keys, I'd love to hear your feedback. in the comments below again, there are a thousand ways to skin all the cats, but this is a really good solution for safety.

I have to hand it to yubico, they have made a really good product here and again if you are interested in purchasing some. From these links below, which is an affiliate link, it gives me a couple of dollars, but it doesn't change your price at all and I appreciate any affiliate sales we received. Okay, that will be enough for this one if you enjoyed this video, make sure to Give me a thumbs up if you want to see more videos like this, click subscribe. My name is Chris with crosstalk solutions and thank you very much for watching.