Here's Why I Moved to Security Keys for 2FA

Bro.. I flashed my phone... I used my fingerprint as security key.. Now my fingerprint is required to open discord.. What should I do please help

I would love if my bank would give me a way to use 2FA to use hardware key over app or sms

In my perspective, hardware keys pose a potential risk as they are susceptible to theft, which in my opinion, is a more likely scenario than someone hacking into a full-disk encrypted phone or computer. Unless these keys are fortified with additional security measures such as password protection, I don't perceive them to be superior to using my phone as a method of two-factor authentication. Phishing doesn't pose a substantial threat to me, given that I utilize 1Password, which has anti-phishing features. However, I do recognize that hardware keys may offer enhanced security for certain individuals.

There is absolutely no way you can steal my phone, unlock it or decrypt it, decrypt Aegis, and login to any account faster than I change my 2fa(s). This may be possible with a stolen hardware key.

I recently updated my phone since it forced me to do so, but when it finished updating it, all of my photos, videos and apps I have downloaded were all gone including the authenticator. I used the authenticator for roblox for my account log in, but now that it has been deleted, i can't log in nor find the exact authenticator i used. I tried setting back up the log in code on other authenticator apps, but it didn't work. So now i can't log in to my account anymore. Can someone help me?

Why would you keep one key in your wallet and another in your laptop? Surely if the one in your laptop breaks you wouldn't need the backup that urgently? Also wouldn't that be a problem if you fall into water? You'd think you should just keep one at home. idk tho

Is it safe to leave it in your PC all the time?

They should make these with security cameras on them so you wouldn’t have to buy multiple ones maybe they can team up with us security camera company

these things are impossible to set up properly, there are many workarounds for these things as banks and google and every other platform that "Supports" them don't work at all. don't waste your money

Why does Instagram not have the option for Yubikey or for any physical hardware token form of 2FA?

It’s very weird considering that Facebook has this option and both companies are part of Meta.

If you keep it with your laptop you lose it and your laptop together.

can your employer track your location with this key?

What about onlykey?

I don’t know if I fully trust these keys … see they could Install a keylogger and still be hacked.

I always thought 2fa was stupid.

I've been using yubikeys for over a decade now. While I am not particularly a security enthusiast, I find them to be extremely convenient. Especially when traveling to countries where you might not have your phone number. Getting locked out of your email because you don't have your phone # is not a good time.

But also have a key that only I have access to makes things quite nice. I wish banking institutions would allow me to use it. As of now, my banks are my weakest links when it comes to 2fa

Do you have a video on having multiple 2FA and using the others as backup? Say hardware keys are your active 2FA, meaning the only one you use, and you lost your hardware keys, but fortunately you’ve got your TOTP Authenticator code backed up in a location that doesn’t require the use of that hardware key. My thought being that you have multiple 2FA, which seems less secure, but if you aren’t using the other ones it lessens the possibility they are compromised. Instead just have them stored on an encrypted USB or in a veracrypt folder on the cloud (your thoughts on the security of this too?) for the day all your hardware keys are lost. Realistically I don’t see why having more than one backup 2FA is necessary if you would be storing that 3rd 2FA backup in the same secure place. Or any other thoughts on this, best alternative backup 2FA (might depend on the 2FA offered by each service).

Basically any video you can point to where you talk about using multiple 2FA and your security thoughts on this. Thanks!

What’s weird here to me is why you would use an external security key over something like Passkeys. I have multiple security keys which I use weekly, but I use biometrically protected Passkeys wherever supported

Let me see you sim swap my email. Just send the code to the email instead of a phone company not smart enough to not swap you with someone thats not you.

Until you lose or the key gets stolen.. lol

@Techlore: The Nano can be used in a Pixel 6a, right? Plugin in with the sensor up or down, right?

Can someone tell me if it fits into the cutout at the USB-C Port of the Otterbox Commute?
Otterbox can not tell me even i provided the exact dimensions 🙄

It is true that SMS is better than nothing. Not everyone is going to SIM swap attack everyone. Not only that but a SIM swap attack would disconnect your service. If you catch that quickly enough and get down to your phone carrier you may just have a small chance to fix the problem. I doubt you would catch that S.O.B. who did it but at least then hopefully if you catch it soon enough he will realize that you know something is happening and move on. Don't abandon SMS unless you have something better. Those ones that tell you that SMS is useless are probably the hackers hoping that you would just give up on 2FA and make it easier. Some people do play tricks on you that way!!

Do you know now security keys now integrit on phones to say your fingerprint be your utf

You don't need to plug them in. You can use NFC on some models

I have three fido devices I got years ago get them out now and then for another shot... always too much of a pita. Now if there were a password manager that used U2F to effectively U2F enable all the sites I use, I guess it may be ok.

A couple of mine do bluetooth, NFC and USB, but never really worked with android - and I only recently got a phone that does NFC....

Maybe time to dig the out again!

I prefer to security key better than 2FA

people who care about security as randoms are insanely delusional. narcissism + low knowledge in computer science, happens i guess..

Woudn't leaving that key in your laptop be a risk? For example, what if someone stole your laptop with it in it?

If you keep it plugged into your laptop, and someone steals your laptop, you've provided them (literally) the key to hacking all of your accounts.

I wish their keys were made of durable materials or that they were honest with clients and tell them: “don’t store these with your keys in your pocket”

wow.. so many banks simply do not have any 2fa or mostly phone/sms/email. they really have to catch up.

If I lose my hardware key is there an option to switch over your old credentials from the lost key to a new hardware key over the internet? Otherwise, revoking the old key and adding a new one in all my websites will be a tremendous headache. I know we will have a backup key as well, but we still have to revoke the lost key on all the websites.

Great video. I use mine with my password manager Bitwarden. I wish financial institutions (i.e. banks, credit card companies) support hardware 2FA.

Yubikey is actually 3fa so the title you've chose make little sense...

how much you get paid for this sponsorship

People with security keys: "Wow look at me, my security is impenetrable!"
People with fingers: "yoink that real quick thanks"

Or your bank has no 2FA. Yes truly these days thats sad.

I'd like to see more developer guides for integrating u2f with your own websites... most focus on the htop mode of the yubikey specifically rather than the universal and far superior U2F.

surprised you didn't redo the video with how many mistakes there are, other then that great advice

Absolutely love security keys and the peace of mind they provide. However it baffles me that every bank I have only allows SMS verification 😒

2fa is perfect in every way. Everyone should have it, despite it being a pain in the ass. It's impossible to get around and if you do it, it will be impossible for anyone, no matter the circumstances to get your information. THAT is what I've been hearing for years. Why all the backpeddleing now? Oh, it's because cybersecurity wants to sell us a new pos that will be even more problematic if there are ever any issues. I hope every one is in for a lifetime of fun if anything ever happens to these things.

I bought 2 Security Yubikeys , because they fit my threat model. I still struggle with the "management" part but I'll get there, it's just a matter of finding the more intuitive arrangement, but overall I like this solution a lot. The irony is the few services I use that accept hardweare keys are the (only) ones that accept TOTP. It's all or nothing, so I've decided, whenever it's possible, to delete accounts or services that don't offer at least SMS 2FA.
Thanks a lot for your video, and all your work :)

good luck with carrying that around

I have been using yubikeys for years, I even give them as a birthday present sometimes to friends and family....

U2f is nice, but personally I would only recommend it for business, including working for yourself. TOTP is frankly more than enough.

Leaving the yubikey plugged into the laptop sounds like a terrible idea.