I love my Yubikey"s, my big complaint companies don't have the options to use them. There still stuck in the past with sms or push

I've recently been researching U2F and FIDO key 2FA solutions, including getting FIDO2 key and starting to use it last week. This was the most direct and useful explanation of what the protocol is and how to utilize it that I've yet found, so THANK YOU! The confirmation that FIDO is a ubiquitously supported open standard under the purview of the W3C was especially reassuring!

Something I didn't know until recently, is that even if the Fido key is duplicated, there is a counter added to it. If the counter doesn't match expectations, the authentication fails, and the key is voided for that site.

I'm carrying an elder Yubikey for approximately 10 years on my keychain with no problems. So I would say, these things are really durable. I can't say anything about other brands.

Btw U2F generally refers to the 1.0 spec, it was superceeded by fido2 and finally by the passkey name

I much prefer the TOTP over pushed notification. I find it more convenient, less intrusive and more secure. I've been wanting a yubikey since the first one came out, but that was always a big budget for a key that only a dozen of the sites I use support. I wished my company would switch to something like that, but they wont, even though I keep nagging them about it (and other security improvement for their infrastructure). Some day i might ask for a transfer to the IT department and implement those myself, who knows...

I sure hope more banks start widely implementing them

In Australia, the Australian Tax Office uses push notifications for 2FA. If it's a new device without previous history of login to the account, the push notification has a 2FA code, if it's an existing device previously authenticated, it's an "approve / deny" push notification

Duo also supports YubiKeys, you don't have to use their app and push. That means they can bring YubiKey functionality to all SSO (SAML and OIDC) as well as workstations, VPNs etc even if they don't natively support them. You can also set policies up to select which apps require only a YubiKey and which ones can use push. This also gives the IT team the ability to fall back to push/bypass for users that do lose their key, and central management where they can disable a lost key on all accounts.

Bought 2 yubikey 5 nfc's after your's and Jay's videos about them... Been very happy with them.

Starting to roll these out for AAD and WHfB at work. Very cool stuff. Our users will love this vs. TOTP or number matching with push notifications. Still learning the differences between FIDO2 pwdless and smart card auth. More reading to do :)

I really hope this does get widely adopted, and I've been pushing it for a few years now. In Canada it's very common to use SMS messages for MFA, but because of phone number porting laws (designed to make it easier for consumers to switch providers), it is somewhat trivial to steal someone's phone number (SIM swapping attack). Yet most banks and other large institutions here continue to only support SMS as a MFA method.

Yubikeys are great! I think the most pressing matter for Identity Security is what to do when the threat is already inside. I recommend looking into products that can prevent the threat from lateral movement and minimize blast radius. A product called Silverfort can protect organizations from that, especially on legacy apps and on-prem solutions that don't support FIDO2 (Silverfort can extend your FIDO key usage).

Appreciate the content! FIDO U2F is consider legacy. FIDO2 is the newest and I believe is what you are referring to.

Lawrence, THANK YOU FOR ALL YOUR VIDEOS. Much love. Peace ✌️🕊️

Agreed, I was speaking about FIDO2 to other week when the UBER breach happened- MFA MiTM efforts and how FIDO2 would have helped.

Helpful information! Maybe do a video on a breakdown of FIDO and U2F, as it's a common confusion point for people. One being a protocol, and one being the implementation of the protocol.

You can control Fido key registration through an IDM solution like Microsoft or OKTA from an IT level, so you can issue keys to employees from the security team side of things.

Ive had yubikeys for several years, one on my keys and one in a safe place, they are very convenient to use and I have seen support growing over time

1:32 - one way to stop notifications on android is to force stop the mfa application itself. can't push notifications is the app itself isn't even running in the background. :D

Thanks for another useful video article Tom, it's really appreciated!

I bought a Fido key & had it for well over 1 year & didn't start using it because I thought it would be difficult to setup. I was wrong! Easy to setup & use plus no I have the peace of mind of 2FA 😀

Really appreciated this may come in very handy, thank you. 🙂

Great vid. Frustrating how difficult it is to have multiple keys on some services. Or even swapping to jus the key and not a Google or MS app as well without disabling MFA.

Seems like the banking industry only uses email or SMS 2FA. Can't use Yubi or Trust at any institution handling your 401, savings or checking accounts. Wonder if this will change anytime soon?

It's this and also "Passkeys" that are going to use your iPhone's secure enclave, or other type security hardware on device to use your already built in TouchID / FaceID / Windows Hello that prove that you are you. We are moving towards a passwordless future as a whole.

Apple implementing this for its passwordless setup means that it will adopt faster in the consumer space IMO.

The Rube Goldberg machine marches on lol. This system isn't going to fly with most normal people. Already picturing getting multiple calls a week "hey I lost that USB thingy you gave me and I cant sign in anymore.....". Honestly would be better to just make it so the system cant send more than 1 push notification in a 10-20 minute period and make it so users have to unlock their phone and actually look at the request before being able to hit yes. If you think the people that cant even handle having a unique password for every service can handle not losing their magic USB stick, IDK man.

I had a good chuckle at APT

I'll switch only when recovery key can be issued along original that is able to disable original and take its function without reconfiguring every website (plus issuing new recovery key in the process)

1 - IF there is a flaw within the firmware/protocols (there will be, nothing is perfect) you would need to replace millions of those devices, with the cost and it takes time 2 - Replacement for failed devices Software solutions are always better because of their flexibility, besides (some of) the code could be peer reviewed. Nonetheless I do like the Yubikey/Trustkey, security benefits afterall.

it's worth mentioning that all modern smartphones support webauthn and authenticate users with their fingerprint or face id, which removes the need for the vast majority of people to purchase additional hardware

I like yubikeys, and I have 2 of them. Unfortunately getting non techie folks to use them is a real challenge.

Your APT description 🤣🤣🤣

Currently I use KeepassXC's TOTP feature as it's easy to click on it to provide the code. Plus I can sync the database to my NextCloud as backup. I'll be looking into FIDO2 compatible keys to see how well it works with KeePassXC.

👍🏾 appreciate your videos

bro I love that shirt. Thanks for the video btw. I've never seen such a great explanation!

I don't see myself using these kinds of thingamabobs. I don't want to carry even more stuff around with me, I don't want to have to manage multiple physical sticks and I don't want even more small items that are easy to misplace and/or accidentally drop somewhere. It's a good point about the push notifications, but none of the services I use do that, so it's not an issue for me.

I use a a CozyCap USB cover for the Yubikey and USB devices I carry on my keychain. Give me a lot more peace of mind.

What's the opinion on Microsoft's authenticator? It uses push, but also asks you to select the number which is displayed on screen at logon - still not fool proof, but helps avoid inadvertent 'allow' taps. I would love to have physical keys, though they can still be costly 😬

Companies that aren't using WebAuthn are asking for trouble. The SMS codes can be an option for the uninformed but WebAuthn should be standard. It annoys me to no end that one of my CC banks doesn't have any 2FA options. My password for that service is over 100 characters to avoid being hacked.

As an IT Manager, I'm currently struggling getting staff to buy into just MFA. I have total buy in from Sr. Management, but even then some staff refuse to take part. I need a good strategy on how to get staff to buy into FIDO (which I and my whole IT team use), but its more challenging than it sounds.

Yubico has TOTP as well in its newer keys so I use that as well. I don't do push notifications because of the inherent tracking built in to the apps especially Googles app. I use a hardware password manager, Mooltipass, that includes Fido2 and TOTP for one stop login. Backups are essential so that is a downside.

The thing I don't like about these keys is that I use multiple machines at different times throughout the day in geographically different places. If I "forget" a key at home, and go to work, I'm turning around to have to get it. If I'm at home, upstairs, and my key is downstairs, then well, guess I'm moving my butt to get it. I'd either need a key for each machine, or, move the key around to each machine which starts to give to physical fatigue of the port and keys. Also, one of my laptops has a limited number of USB ports, so I'd have to unplug the keyboard or mouse to use it, or get a hub which is just more garbage to haul around and keep track of. (I'm generally not a fan of laptop keyboards due to their size and positioning of the keys, or, lack of keys (Numpad)) Keeping the key with the machine itself, if you lose the machine and the key, then what? Just to "touch" the device isn't enough. Fingerprint recognition on top of just a touch would be much more of an asset, but again, because of geographical differences at any point in time still kind of gets me in the "not subscribed to the idea" feeling. If this were to be something to be had on my phone, which goes with me everywhere, hard to misplace or drop and eliminates physical fatigue, then I'm in. If what I need to "log into" is sufficiently separated from what my phone would need to authenticate for, that's fine by me (IE: The phone only answers to requests from external access, but, doesn't have any knowledge or ever has been to what is making the request for login). If I'm being hammered by authentication fatigue, and I'm not making the requests, I stop the notifications from showing up on my phone for a period of time, or, I go and start resetting passwords so 2FA doesn't get to me.

I love my FIDO key, because it has the TOTP codes and FIDO2. I wear my key on a necklace that I pretty much never take off. I can use it on my iPhone XS with NFC, my PC with the USB, and have all my codes and authentication there. Plus, Apple now has their Passkey, which I'm pretty sure is just Apple branded FIDO2. Once Apple does something, it becomes a universal. Give it a couple years, and most main-stream sites I imagine will have at least partial support for FIDO2 passwordless authentication. Microsoft already has this, and it's genuinely handy.

More complexity, more training, more user error, more time involved in access, more time involved in support and diagnosis, more people involved just to do something simple... This, just like MFA, is just adding more to the nightmare that is being an IT tech. Most end-users can't even manage clicking a button when their authenticator app pops up showing a code or just asking for approval. They'll look you dead in the eye and say they never saw something pop up, or that they have no app (that they have used daily for years). And new clients, forget it. I had to do 7 layers deep of account recovery and MFA enabling recently just for one new client to finally setup their Outlook on a new laptop. It's getting to be impossible to function, as an end-user but especially as their support. It's not sustainable nor effective to just keep adding layers of authentication, especially when the primary vector of attack is user error. Taking it all away would be less secure, sure. Just the same as removing people's access to cars would prevent car wrecks. There's a point where ability to function is hampered too much in order to boost security, and MFA is already itself too far beyond that point for most people. Heavy duty MFA, Fido2, etc to access your crypto key device that had its own multi layered security, sure... But all that just to access Microsoft Word, some video streaming service (which is where it's all headed), or to help end-users as a support tech? It's f*cking bonkers.

Thank you!

Windows Hello, Android and now the iPhone and MacOS have this built in. Users do not need keys. FIDO now supports multi device key sharing. Apple implemented it Google and Microsoft should have it soon. Even with slightly less security guarantees they are better than most current MFA solutions. Also the operating system keys are 2FA by default. They are an authorized device and a biometric or a pin.

Limit how many times push can show up, by going into notification settings. Done!

Hi Tom, great video. How would you support this as an MSP? Is there a one ring to rule them all in the spec? Seems great for an individual what about support as a MSP?

My only complaint is it assumes the user has affordable access to secure hardware tokens. The technology can't really scale until products like Yubikey are as cheap and common as average USB.

Tom you should check out what we are doing over at Beyond Identity. I talk about some of it on my channel as well. Private key should not move. Security keys are a hassle to admins and users. There are better solutions out there.

the compamy i work at has decided that all users that have admin rights in our man program suite has to use a yubikey for autentication. all other users must atleast use a push notification style authenticator, but if they want and ask for a yubikey they can have one. i fond this a good compromise. i have already recieved my yubikey and im happy with it so far.

SQRL solves for all of this, plus deprecates user credentials in favor of a secure single factor.

Meanwhile in the UK our banks seem pretty happy about their recent rollout of enforced SMS 2FA 🤦

cool video. thanks

What about this compared to something like Trusona? That sign on method makes sense to me and I like It as it doesn't require additional hardware. If you are familiar with Trusona, how does the security compare? Probably not a simple answer, sorry. I'm on board for more security, I wish something would get widely adopted soon.

Surely the quickest and easiest protection for MFA fatigue is to just disable the push feature and make people enter the tokencode?

Why would someone NOT raise an alarm if their phone gets a push and they are NOT the one logging in!? 😯 Maybe that's part of the reason there are beaches. 🤦🏻‍♂️🤣

Using google account here. Already have 2 step set up for my Authenticator app. When going to add a security key it asks to enable passkeys. Why is this the only option?

You may want to do a video regarding Passkeys, which is going to make any use of security keys completely moot (imo)

Some thoughts: (1) you can 3d print enclosures to help keep these from getting too banged up on a keychain, there are designs on thingiverse and printables already; (2) I don't understand how MS hasn't implemented FIDO2 over RDP yet (AFAIK); (3) it's frustrating that more modern sites like Paypal only allow a single hardware token and less-modern sites like most financial institutions don't support them at all; (4) also frustrating how many sites require you to have a less-secure second method of authentication, totally degrading the security hardware tokens provide. I want FIDO2 and only FIDO2 and I don't want sms OTP but some sites don't allow that.

How does FIDO2 differ to OATH when using a hardware token and why might you choose one over the other?

Wordpress supports webauthn through a plug-in. PAM also supports either FIDO or FIDO2.

Can you explain why some security keys work on U2F and WebAuthn sites but not on FIDO2 sites? eg. KeepKey for example works on most U2F sites but it won't work on say ebay which uses FIDO2. What is the implementation missing that prevents it from functioning on sites using FIDO2?

Meanwhile in norway they decided to redo our most used auth system from a sim card application to a push based phone app... And not support anything else.

Disable MFA push or configure for time out 15 mins then you don't have that issue. Manually enter the code then there is no push.

still have rsa key fobs for some access however most companies have moved away. curious how you plug this into a mobile device and authenticate - noting that self authentication on a mobile is well almost useless.

Not sure I like the idea of the authentication request to be tied to a host. If I have a replacement host then I will never get that authentication request and I am then locked out.

My boss doesn't think we need FIDO2 since we have AAD and SSO for most everything with Conditional Access policies to restrict access to AAD-joined devices only. I tried making the zero trust argument and benefits of FIDO2 vs TOTP or Duo push, no dice...

I really love this tech but the problem is usability. I have a older low-end Android smartphone that has no NFC or similar (the only external connection is a single micro-USB for charging). How would I use one of these keys to log into my bank on my phone?

Could a consumer use this for folders, documents, computers etc. I know i could use it for bitwarden. Thanks.

I would really like to see a smartcard with most of the functionality of a Yubikey. I don't want to carry a dongle on my keychain, but I could add another card to my wallet. As long as it has NFC to work with my phone, that would cover most day to day use, and I don't mind buying a smartcard reader for my PC if the tradeoff is an easier to carry form factor.

It also stops evilginx AITM type attacks.

Can we all just agree that MFA is a superior term than 2SV/2FA and use it exclusively.

Is there a software emulation of a FIDO2 "key"? Seems like there could (should) be... I recently uninstalled the okta authenticator. I switched to using TOTP codes (such as generated by google auth instead). I have not yet accidentally clicked "yes it was me" in response to an okta notification, but it would be easy to do. I'd rather deal with the 6 digit codes.

I turned the notifications for 2FA off, they are just silent. When I want to login, I start the app. But I've never had event when I would receive notifications - not that interesting target :)

I just don't see what the benefit is versus using TOTP - I hear about it being more convenient, but I literally just have to tap my finger on my phone then open my TOTP app. It takes me and extra 3 seconds compared to a key... and I'm far less likely to lose my phone. Is there something I am missing / not getting?

We’ve used micro USB-C keys for a while 5 years and for devices with multiple USB-C ports we ad a tiny drop mild glue to make it stick. 2000+ keys and zero lost. The full size keys we use a wire loop with a pressed closed clamp on a quality key ring and users don’t mind because we gave them something else, we social engineered them to carry the key on their house/car keys

Hackers, leave Tom alone!!!

Is TOPT a thing I'm supposed to know about?

USB sticks are very inconvenient on mobile phones even with NFC. And this is major stop factor for me.

that doesn't solve the problem first explained, it just silences it (meaning someone could still spam it enough to make you touch it at the wrong nime, ie: trying to log in yourself, and auth them by accident)... a cooldown in requests per machine would solve both problems...

Robotics... New MITM... Never seen it coming 🤣 [Arduino has entered the chat]

The biggest down side of these keys, is that most website only allow to you to associate a single key. I have 4 systems I often use for my work, I a PC at home and work, I have a phone and a laptop for emergencies. Keeping your fido key at you at all times is very hard. If you forget it and you need instant access to a system because there is a major issue, you can't do anything. I rather get hacked than loose a client because I couldn't solve a simple issue because I was unable to locate my fido key. We all know that emergencies don't have a 9-5 jobs...

Disclaimer: I don't know and genuinely wonder... What about race conditions? If I have access to the computer the key is used in, and my background software is trying to login on another service with their credentials at the same time? I know it is more "ifs", but a virus-ish could dump your bitwarden database every day if they only got your username and password once, as long as they time the blink with another login (like a VPN connecting) that could make the user not think twice.

I use Yubikeys and Windows Hello. My opinion is that Windows Hello is the way to go (IR Cameras specifically but a high end fingerprint scanner can work too).

wouldn't buying these on amazon be a security risk? can i trust that the vendor is not some bad guys?

i would say - if you not login anywhere and see the auth request - its a flag that someone trying to hack you. is there idiot who press yes if he is not the one who login?

Do rhe trust key or thetis key "update"/ "phone home" like yubico does? I don't trust that. They shouldn't need to if they gave the fido algo installed so its nefarious. Anyone examine the packets they send even or everyone just "trust?"

What happens when you lose the key?

Most people become preteens when it comes to security. I'd put TOTP mandatory for every service and please... PLEASEEEEEE.... stop asking a cellphone number in the way (especially in a Workspace owned domain)

It can be safe with a phone. The national electronic ID in my country (a specific app/program, that you can only get by authentication through a bank, since they have the strongest security already), will show a QR code on the screen, and you will have to use the phones camera to show that you login on the system you claim you are using. To make it even more secure, banks and other sites that need the best security, have started using rolling QR codes (the QR code changes every second). In other words: 1. You have to open a bank account in person. 2. You have to access the bank with a 2 factor identification device (You log in to the bank, you login to the device, you get a code from the site, you type it in to the device, you get a code from the device that you type in to the site. And even these devices is being replaced with models with cameras and QR code systems). 3. In the banks site, you chooses to get a digital ID. You sign the ID with the method mentioned above. 4. Now you have an ID that you can login to and authenticate, that you are who you claim you are. Obviously if you get promted to authenticate something, that isn't correct, you can't. Because you will not have access to a QR code (besides, you should never be prompted to authenticate, unless you initialized a login to a site/service, in the first place). The digital ID expires every few years, but you can login to the bank and block it at any time and get a new one, if you forget your password or you think that you have been compromised, or you get a new device (phone, tablet, computer). Forgot to mention, that another way that this is used, is to identify yourself in phone conversations (to prevent social engineering). You will call a company or government agency and they will send a signal to you Digital ID, and you will have to authenticate before you will be allowed to have a conversation with them. That way, they know that you are who you claim you are.

What about FIDO fatigue?

The problem is that this key's don't protect against session cookies Stiller's

Security people love to say "we."

Login to site with user/pass Website pops up a qr code scan qr code with phone Login approved. Why doesn't that exist? Seems so simple.

i love and hate yubikey its honestly super easy to lose and having it in the pocket can trigger NFC on my phone if i forget to lock it, on other hand they are much more convinient then TOTP on phones. i hope we could reliably achive same thing with phones or a component of phones as we tend to have them on us, push notifications for auth are generaly bad but i think microsoft does them well with pick one of 3 numbers system, imo its good alternative for general consumer better then nothing but not as annoying and complicated as TOTP

Implement hardware 2FA for regular clients of the bank is a very luxurious expense. Joe's 25k$ aren't worth that much of a expenses if a sms 2fa is getting job done.

How come everybody is passing by GRC's SQRL