r/yubikey

▲ 10 r/yubikey

I am once again asking: Yubikey 5 or Security key

I have seen this type of question, but I don't really understand how the technology works, so I want some clarification. Im OK with buying the yk5 if its what I need, but since im planning on buying 3 (one for me, one in safe, one in some remote location), so If I can save my money, I'll do that.

My main goal: Take my ssh keys and put them on the yk (Or create new ones on the key), so that not only do I not have to worry about my keys being stolen (so long as the yk is unplugged its inaccessible to hackers), but I also want something portable. If I don't have my laptop on hand, but I do have access to a linux PC (that I can be reasonably sure is not compromised with malware), then I can plug my yk into that pc and use ssh on that PC, preferably without needing to modify that PC at all. Then I can unplug the key and go about my business.

I like the way SIM cards work, where the Secret key is on the security chip and never ever leaves the device, and instead you can use the device to encrypt and decrypt traffic without ever touching the secret key.

From what Ive seen on YT this can be done with FIDO2, but talking on discord It seems like I need PIV? Im confused because I dont know how these technologies interact. Hopefully this isnt just gibberish :P

reddit.com
u/IllustratorSafe4704 — 6 hours ago

Proton account secured with FIDO2 for 2fa

I am thinking these days about the balance between security and convenience.

If I have two security keys C NFC by Yubico, and use them for 2fa to secure my proton account. And active sentinel program. Is this secure enough to hold all my sensitive information into Proton Pass - including passkeys or secret keys for 2fa authentications to all other accounts.

The other method I was thinking about is Yubikeys, which have the option to keep 2fa secret keys on them, but their price is twice the security keys and also I'm not sure that is more convenient needing two different apps to log in.

In case I lost both Yubico keys, which sounds to me really unlikely, I'll keep recovery phrase locally. This was recommended to me by Proton support, after activating sentinel, for the only method i need to keep to reset my password and recover my account.

reddit.com
u/No_Krava8246 — 19 hours ago

Adding PIN after setting up in iCloud

Apologies if this has been covered before. I just set up two YubiKey 5Ci’s on my iCloud and then realised I wanted PINs on them. Is it okay to set up PINs after I’ve added the keys to my iCloud? I understand the PIN is separate to iCloud so then how does iCloud recognise the keys later when you need the PIN to use the key? (Sorry if that doesn’t make sense, I just want to make sure I don’t get locked out of my iCloud and I’m a bit technologically challenged 🤦‍♀️) Thanks so much!

reddit.com

Can Infostealers bypass Yubikeys?

Hey everyone,

I'm writing this in regards to the MrBeast scam that has been going around Discord lately. Recently I have noticed an epidemic of folks getting hacked by this very scam and based on my initial research I have concluded that this is a Infostealer or a token logger so to say and that most people contract it via downloading cracked games, software, mods or something that was attached to some download file you found on the internet and from what I have gathered, it just doesn't stop there. It seems that this type of malware gets every account you have saved on your computer. Your social media, steam, and all your other accounts and it's so bad that if you get infected, the best thing you can do is to completely wipe your computer and do a fresh install which is the ultimate nuclear option. The worst part? This bypasses 2FA which is the scariest part of this.

And after reading about this and seeing a couple of my buddies fall for the MrBeast scam it's got me thinking... Perhaps it is time for me to buy a Yubikey and link all of my accounts to said Yubikey. My buddy who got hacked and nearly lost his steam, Fortnite, Roblox, and Discord accounts, immediately went ahead and purchased a Yubikey and linked his email, Steam, Fortnite, Discord, and every single important account onto that Yubikey and ever since then he has been preaching everyone including me to purchase it which I am very close to.

I take my account security very seriously. I've got 2FA installed everywhere but with this MrBeast scam going around everywhere it's making me feel that not even 2FA can protect you as this InfoStealer is a very common piece of malware that an average user can easily come into contact with and I do not want to become another victim of this. So, my question for everyone here is what exactly does YubiKeys do that differentiates from your standard authentication 2FA? All my accounts use authentication apps IE: Microsoft authenticator. I know this is a physical key that stores every account you link to it onto that device and you can simply plug it in and you're into your account and another question, can InfoStealers like the MrBeast scam bypass 2FA and can the malicious actor remove your Yubikey from your account? And is having a Yubikey give you a much easier time to restore your compromised account versus you not even having one? I ask these questions as a concerned user as well as someone who has come from the field of IT and who takes account security very seriously.

I appreciate the insights everyone.

reddit.com
u/yajirushi77 — 1 day ago

Its kind of fake security

I’ve been able to register with 11 websites. 0 national banks support it; but here’s the kicker…

All of the websites still allow the original username/password logins. The yubikey is just a different way to login. Bad actors can still force password resets that trigger back to email verifications where they can get into all of your accounts if they have access to your email.

Take Gmail for example; you are forced to have a verified phone number and a login 2fa can fallback to sms verification. It’s not secure at all, the titan or the yubikey is just the first option you’re using but anybody can select the other options for verifying and bypass the security key altogether. What’s the point of even having it.

Set a complex password in keepass and you’ve effectively given yourself the same level of security as a yubikey.

They’re great but every website has really poor implementation. The way they’re utilized is just a fad and offers no better protection than without one.

Change my mind 🤙💙

reddit.com
u/_ninjanate — 1 day ago

Need your help before purchase

Hi!

I am planning to replace my old 5.4.3 firmware set of 5C NFC keys with an OpenAI / Yubico bundle. However, unlike the 'vanilla' 5C page where all specs are described, the bundle page has no relevant details about the firmware on the keys dispatched these days. I am aware the OTP function is missing, but that is OK.

If anyone here has the bundle, can you please run a 'ykman info' command in a Linux/macOS or get a screenshot from the desktop app with the actual features of the keys?

This my current key:

> ykman info

Device type: YubiKey 5C NFC

Serial number: 17738421

Firmware version: 5.4.3

Form factor: Keychain (USB-C)

Enabled USB interfaces: OTP, FIDO, CCID

NFC transport is enabled

Applications USB    NFC    

Yubico OTP  Enabled Enabled

FIDO U2F    Enabled Enabled

FIDO2       Enabled Enabled

OATH        Enabled Enabled

PIV         Enabled Enabled

OpenPGP     Enabled Enabled

YubiHSM Auth Enabled Enabled

Thank you very much!

reddit.com
u/iedutu — 2 days ago
▲ 13 r/yubikey

Why do so few sites prompt me for my securey key PIN?

I have a pair of yubikeys that I try to use whenever possible (the main one and the backup). I set both of them up with a PIN for the added security layer, but lately I've been noticing fewer and fewer sites prompting me for the PIN. Like, even sites that used to just ask me to touch the key.

Is this a server-side implementation problem, some sort of caching of the PIN in windows 11 (which would be absurd), or some other mysterious force that seems to be removing that extra security layer? I'd like for everything using the keys to prompt for the pin.

reddit.com
u/doubletaco — 2 days ago
▲ 14 r/yubikey

Queries on yubikey/cybersecurity

Hello, I hope this thread finds you well.

I recently became interested in privacy/safety opsec and would like to further improve that.

I decided to look into hardware keys and found this brand to be the most promising and decided to look into the series 5. However I am a couple of questions that I want to solve

Is it better to purchase the FIPS series or the consumer brand? I wanted to look into the FIPS because it appears to offer the most protection, however, I am confused by the difference between them, as far I can tell, one is commerical and the other is for orgs but is there anything I would be missing out on when buying either one?

Second, I am aware that a common hack is infostealing/session hijacking. I do not believe a hardware key is strong enough to counteract. However, is it possible that to prevent session stealing, I can merely logout when I am done and login using my yubikey and delete cookies all the way through? Assume a hacker does get into my account, what could he possibly do as in order to change my password he would need my passkey approval.

Third, incase, I lose my first key, is there a cheap 2nd key that I may buy preferably type c and is as safe as the previous, or is it better to just buy two?

reddit.com
u/Moist-Water8832 — 2 days ago

Yubikey USB A and C

I have a Yubikey C with apple port but I can't find one which support USB A and C, why Yubico is not offering both in one or I missed something?

reddit.com
u/c7b3rx — 3 days ago
▲ 24 r/yubikey

YubiKey Passkey Enabler

I just tried reading through the article posted today about the general availability of YubiKey Passkey Enabler, though I'm not totally sure if I understand whether or not I need this and if it might pose any problems of vulnerabilities. I've only recently attempted to use one of my Security series keys on my phone to log into my Costco account, and it seemed to work just fine (physical insertion as well as NFC attempt) without needing this app. So, is this just supposed to make things more convenient (i.e. thereby trading for less security)?

u/OverTheVoids — 4 days ago
▲ 11 r/yubikey

When will keys with the 5.8 Firmware be available?

Just wondering since it has been announced almost half a year ago.

reddit.com
u/schuhfritze — 5 days ago
▲ 17 r/yubikey

USB or NFC

So I'm a bit confused about which YubiKey I should be considering . I've tried the Yubico site's guide but I'm still unclear. I want to be able to it use with various computers but also with an iPad ( USB C) and Android phone. AM I correct in thinking that:

  1. If I go for a USB based YubiKey I'd need USB A for older computers and a different USB C key for phone an tablet ?
  2. A USB A YubiKey with NFC though could be used on all three (USB A for computer and NFC for the iPad and phone ) ?

Thanks in advance for any help.

reddit.com
u/Practical-Tea9441 — 6 days ago
▲ 23 r/yubikey

YubiKey 5 Nano Model # differences

I bought these on Amazon and I noticed they have completely different model numbers (and one in a format with the “LOT” I’ve never seen). Wondering if this is a newer/older packaging revision situation or what is going on. Haven't seen this with any other YubiKey I have purchased so wanted to see if anyone had any idea

Thanks in advance!

u/Historical-Side883 — 7 days ago

Tubikey for Digital Estate planning

My stepbrother passed away in March and left things in a mess. Accessing systems and cancelling services etc. was difficult to say the least.

So I've been thinking about how I should setup things for myself, or other older family members to make it easier for them/me when the time eventually comes.
So many systems now want to use your mobile device as a 2nd factor -either SMS message or email or an authenticator app. I have multiple authenticator apps, Google, Microsoft, etc. plus password safe like Bitwarden or OnePassword etc. and most people have their phone set to use biometrics to unlock. If you drop dead, how so the ones you leave behind get access to the bank, insurance, taxes, etc. to pay bills, mortgage, figure out what accounts you had, life insurance polocies etc.?

So I am wondering if I setup Yubikey as that second factor could I have a second one that was stored securely somewhere that could be used to access all of these things?
Has anyone done something similar? Seems like a universal problem as more and more systems use MFA etc.

reddit.com
u/DeathDealer_CDN — 7 days ago
▲ 41 r/yubikey

Amazon discount on YubiKeys

Amazon is currently offering 10% off on yubikeys with a coupon. Not a huge sale but not nothing either given these don’t get discounted often

reddit.com
u/Historical-Side883 — 10 days ago

Returning after 2 days.

I was really looking forward to getting one but after 2 days I'm returning it. Either it's not accepted in a lot of websites or it's not even offered as an option even when you successfully add it. I'm on Linux so not sure if that is part of the issue and even with phone it constantly wants to open up in the Yubikey app. It's not worth the hassle and my SMS code is reliable and quick.

reddit.com
u/upssnowman — 9 days ago
▲ 118 r/yubikey+9 crossposts

Conduit: free, open source SSH/Mosh/SFTP client for Android and iOS with YubiKey/FIDO2 hardware key support

I built a free, open source SSH/Mosh/SFTP client for Android and iOS that supports YubiKey and other FIDO2 hardware keys over USB and NFC.

Auth works for both ed25519-sk and ecdsa-sk credentials via CTAP2. USB and NFC on Android, NFC on iOS. Works in both terminal and SFTP flows. Agent forwarding is supported too, so your YubiKey can authenticate onward hops without copying keys to remote machines. You'll be prompted to tap for every signature, same as a normal connection.

No account, no subscription, no cloud sync, no analytics, no paid features. Everything stays on device.

F-Droid: https://f-droid.org/packages/com.gwitko.conduit/

GitHub: https://github.com/gwitko/Conduit

App Store: https://apps.apple.com/app/id6780054869

Play Store is coming soon. If you want early access, join the beta: https://play.google.com/apps/testing/com.gwitko.conduit (you'll need to join this group first: conduit-closed-test@googlegroups.com)

I would really appreciate feedback from the yubikey community on my integration of the auth flow with the hardware keys. Note that the flow is a bit different on android and ios.

EDIT to join group go here: https://groups.google.com/g/conduit-closed-test

u/gwitko — 13 days ago
▲ 13 r/yubikey

What to do with two new / unused Yubikey 5 NCF that I don't want?

I bought two Yubikey 5 NCF direct from Yubikey about 2-3 years ago that I never used & am not going to use. I'm guessing no one would want them due to fears of scams & fears of malware, but if I'm wrong get in touch / DM me.

Not looking to make any money, you can have them for free. I'd rather someone get some use out of them versus just throwing them out.

reddit.com
u/GR8FUL-D — 11 days ago
▲ 15 r/yubikey

Yubikey as just one of several options?

Dumb question, i am new to this. I have proton, including protonpass and auth. Currently my phone functions as my passkey with biometrics. I would like yubikey as a backup, like in case my phone is lost/broken/stolen. Would this work, or does that end up as yubikey being the only signin option?

reddit.com
u/roguewhispers — 13 days ago
▲ 38 r/yubikey

What might cause a Yubikey to malfunction?

I have this old Yubikey 5 NFC I brought back in 2019. I have recently experienced two times where it malfunctioned. I leave my Yubikey connected to a USB keyboard with integrated USB 2.0 hub, which is futher connected to a Anker USB 555 hub that is connected to my Steam Deck. This hub passes power to my Steam Deck. These two times I come back to it unresponsive and when unplugging and trying again it would rapidly flash, not showing up. Once in this state it would behave the same for trying in other devices like on my Android phone with a USB-C to USB-A OTG adapter. However both times, if I left it unpowered and disconnected for an extended time it would recover appearing to function as expected.

​

I wonder if possibly there's issues with power fluctuations and it kicks the Yubikey into some "bootloop" with the chip. Or if this is a sign I should back up the codes and get a new one.

u/ShapeShifter499 — 14 days ago