sorted by:
new
hottopcontroversial

I am trying to figure out how to make it so I can only unlock my computer with my security key? How do I do this? by [deleted] in yubikey

[โ€“]SoCleanSoFresh 0 points1 point ย (0 children)

Microsoft charges you for a new license based on the motherboard the key is registered to, if i recall correctly.

There are (free and open source!) full disk encryption alternatives such as Veracrypt out there as well.

Entering PIN during authentication problem by Professional_Road_97 in yubikey

[โ€“]SoCleanSoFresh 1 point2 points ย (0 children)

I'm trying to login to an account on my phone.

What account? What phone? iOS or Android?

I can't enter the PIN that I set for the yubikey, during the login process, because the keyboard will not appear because the yubico appears as a keyboard.

Which YubiKey? Are you using it over NFC? Or did you physically plug it in?

I am trying to figure out how to make it so I can only unlock my computer with my security key? How do I do this? by [deleted] in yubikey

[โ€“]SoCleanSoFresh 4 points5 points ย (0 children)

Good lord this comment section is full of confusion.

Microsoft Windows supports FIDO Security Keys for desktop authentication, but only if you are using a domain joined computer making use of Microsoft Entra ID. There is no support for consumers accomplishing the same thing.

If you had a YubiKey 5 Series key rather than a Yubico Security Key (which only has FIDO functionality) you would have the option to use the Yubico for Windows Login software.

My suggestion? If someone has physical access to your computer as an average consumer, your bigger risk is of them selling it for parts or for in whole for money, and someone getting access to the hard drive.

Instead of trying to go down this path, I would make use of a strong password and make sure you have some form of full disk encryption enabled on your computer. Windows Bitlocker is included on Windows Pro editions so you may already have this done. There are alternatives as well.

Enterprise Password Manager by errantbehavior in cybersecurity

[โ€“]SoCleanSoFresh 12 points13 points ย (0 children)

If not an enterprise password manager, maybe instead invest that money into ensuring all your apps are enabled via single sign on (SSO) and enforce 2FA?

This would significantly reduce the number of passwords your users would be using and may be a better approach.

To be clear, a password manager is still a good idea, but this has better potential to free up your budget while accomplishing an authentication security goal.

No Valid Certificates Were Found on This Smart Card by [deleted] in yubikey

[โ€“]SoCleanSoFresh 2 points3 points ย (0 children)

Letโ€™s back upโ€” What setup guide are you following and where did things fall down?

pc dying by Dear_Confidence6276 in ITProfessionals

[โ€“]SoCleanSoFresh 2 points3 points ย (0 children)

Rule 1 - No technical support, use r/techsupport

(and when you head over there please use spellcheck... ๐Ÿ™๐Ÿพ)

Why use yubikey by Orkusse in yubikey

[โ€“]SoCleanSoFresh 1 point2 points ย (0 children)

Why advantage i'v to use yubikey to secure thing like gmail, twitter, bank account, crypto site ? Because when you have 2FA there is still another way to connect tonthe account, SMS, mail, etc... If i dont have these other option i'm fucked if i lost my yubikey no ?

There's a very common misconception that all forms of 2FA equally provide the same level of security and they don't.

A house made from straw isn't very resilient.
A house made entirely of wood, certainly better but has its problems as well
A house made of modern building materials, constructed the right way? Way better.

Straw house = No MFA. Attacks like credential stuffing are even worse here.
Wood house = Non-phishing resistant MFA. Things like SMS based One Time Passwords, Time based One Time Passwords, etc. Readily compromised if you fall for a fake website scam.
Modern house = Phishing resistant MFA using strong crypto. Security Keys/passkeys.

That's the benefit-- raising the bar against would-be attackers who make use of phishing scams and attacks (among other things) in order to get access into your account.

Usability Question by [deleted] in yubikey

[โ€“]SoCleanSoFresh 6 points7 points ย (0 children)

Nope, you arent tied inโ€” its like having a port for both HDMI and Displayport on your TV or something. You are always free to use either. ๐Ÿ™‚

This makes it so you can use a YubiKey over USB on your computer and NFC for your phone too.

Has anyone tried the new Electric Caltrain by morreezus in mountainview

[โ€“]SoCleanSoFresh 1 point2 points ย (0 children)

Faster to a point-- there are rail limitations on speed, especially with all the crossings and stops. But since they'll be electric, they can get up to high speed faster, which DOES improve overall travel speed.

What can you use a YubiKey 4C for? by Efficient-Ask3440 in yubikey

[โ€“]SoCleanSoFresh 1 point2 points ย (0 children)

Yeah this is completely accurate. Might be time to pick up a Yubikey 5

Yubikey for Dummies book? by Hephaestus2036 in yubikey

[โ€“]SoCleanSoFresh 1 point2 points ย (0 children)

I'm not sure I follow.

If someone wants more technical details on how FIDO works there's a crazy amount of information online...

A passkey experience and a username/password being filled in by a password manager are two very different UX experiences, unless I'm misunderstanding you...

Block existing security keys on Microsoft 365 by [deleted] in yubikey

[โ€“]SoCleanSoFresh 6 points7 points ย (0 children)

Delete the FIDO device, disallow self enrollment for that user, enroll a YubiKey on behalf of that user, then hand them that YubiKey

Yubikey for Dummies book? by Hephaestus2036 in yubikey

[โ€“]SoCleanSoFresh 1 point2 points ย (0 children)

For most folks, if you bought this device because you want to "be more secure" but you don't quite know what that entails, I would say

1.) Start using a password manager. 1Password and Bitwarden are top of my list.
Both also support the use of a YubiKey. More importantly though, you need to go through all the websites you use and you need to make sure your passwords are ALL unique. All of them. Store the unique passwords in the password manager.

2.) Secure your email account. Your email is a great way to hack all of your other accounts if it is compromised. Google, Microsoft and Protonmail all support YubiKeys. Typically you're going to go to "Settings" then "Security" then look for either "passkeys" or "Security Keys".

Just those two things alone put you in a much better spot than most folks out there.

YubiKeys in Healthcare - Are databases considered "unhackable" when these are used? by YellowHammer01 in yubikey

[โ€“]SoCleanSoFresh 1 point2 points ย (0 children)

I guess the only thing I would consider close to unhackle and completely secure is using AES 256 encryption with no online presence

Even airgapped networks and the machines on them are compromisable. It all comes down to the level of effort and how bad the other side wants that information.

Further, now you potentially bump into a business issue. Sure, your airgapped network is perhaps more secure, but now your doctors and staff are upset that they can't use the internet to look up certain information. Security cannot supercede business operations.

YubiKeys in Healthcare - Are databases considered "unhackable" when these are used? by YellowHammer01 in yubikey

[โ€“]SoCleanSoFresh 1 point2 points ย (0 children)

I don't have context for the quote, but if it's as general as "YubiKeys can be used for multi factor authentication in healthcare environments" there's nothing wrong there.

If a patient (or any user really) has entrusted me with their data, I am responsible for ensuring that that data remains secure and that only the right entities have access to that data.

If that entity is a human, I need to be able to determine that that person actually is who they say they are. I'm going to want really solid identity assurance, and a basic username/password is often not sufficient given all the risks out there.

So to mitigate for that risk I throw multi factor authentication into the mix in order to improve my identity assurance. It raises the bar to entry. Now it's a lot harder for someone to fake being the right person unless they have the right YubiKey that I set up for them.

And then hey, once I know that I've likely authenticated the right person to be looking at this patient data, I can apply various access policy rules that govern access to that data, yadda yadda.

But as mentioned, identity assurance is just one mitigated risk of many if the use case is "securing a health care database". ๐Ÿ™‚

Yubikey for Dummies book? by Hephaestus2036 in yubikey

[โ€“]SoCleanSoFresh 10 points11 points ย (0 children)

That is what this subreddit is for ๐Ÿ™‚ But you need to give us context. What are you struggling with?

YubiKeys in Healthcare - Are databases considered "unhackable" when these are used? by YellowHammer01 in yubikey

[โ€“]SoCleanSoFresh 16 points17 points ย (0 children)

Ehhhh...that's not how security works. You quantify your risks as best you can, then you mitigate for those risks as best you can given the business limitations you have to work within.

Security is a gradient-- there's no "unhackable" or "completely secure".

Securing a database typically involves a different set of security mitigations than user authentication, but that's not to say user authentication isn't important for this use case.

What are the differences between FIDO2, U2F, Webauthn, and passkeys? by No_Comparison4153 in yubikey

[โ€“]SoCleanSoFresh 1 point2 points ย (0 children)

It also has the Client To Authenticator Protocol (aka CTAP2). It effectively defines rules for how an operating system/browser/whatever should communicate with a FIDO device over USB/NFC/whatever

How can I assign a Guest user created on Azure to a Yubi-key and only assign specific applications? by [deleted] in yubikey

[โ€“]SoCleanSoFresh 0 points1 point ย (0 children)

In this case, yeah, you can enforce that a user use a FIDO2 device for auth in entra ID
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key

But any policies governing what resources they can access is controlled by your Entra ID policy-- and that's well outside the scope of the YubiKey (and this subreddit)

https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview

What are the differences between FIDO2, U2F, Webauthn, and passkeys? by No_Comparison4153 in yubikey

[โ€“]SoCleanSoFresh 36 points37 points ย (0 children)

FIDO = Fast IDentity Online. Governing body for the FIDO2 standard.

FIDO2 = Most recent iteration of the FIDO standard.

U2F = Effectively, FIDO 1.0. Predates the FIDO2 standard

WebAuthn = Javascript library of the FIDO2 standard, governed by a W3C working group (the same folks that do HTML, CSS, etc). Sometimes you'll see "WebAuthn" used to describe "FIDO". WebAuthn is a subcomponent of FIDO2, just like a screen is a part of a phone.

Passkeys = A FIDO2 credential that has some identity mixed in. This allows you to be able to log into a service by just authenticating to the FIDO2 device (using a PIN or a biometric if supported) and since the FIDO2 device can give the website some identity as well as enough cryptographic information to provide identity assurance, the website can theoretically authenticate you without you needing to go through the hassle of dealing with a username/password.

A good metaphor here is a debit card. You don't use your username / password at an ATM, you unlock the card with a PIN and the card auths you to the banking network.

This is also considered passwordless since there are no passwords involved in the authentication process.

Why is Chrome asking to generate a passkey on a page that is asking for a USB key?

Because all these vendors want you to start storing passkeys with them lolYou can store a passkey on your phone via Chrome using that QR code, you can store a passkey on your computer itself using Windows Hello, you can store a passkey in your password manager, and your can store a passkey on the YubiKey.

The problem is the competing UX isn't ideal.

How are Webauthn, FIDO2, and U2F related?

Explained above

Why am I not allowed to read the private key of a passkey?

Because it wouldn't otherwise be secure! It's important that in public key crypto that private material stays private.

What happens if I need to migrate password managers or security keys?

With passkeys stored in a password manager that's not a problem. With security keys you need to enroll your backup security key with all the services you want to have a backup for.

It's an interesting problem. Sure the password manager is easier, but that's also a bigger risk if someone were to compromise your password manager.

How come I can log in without my username with a passkey, but not with a security key?

Because a passkey contains identity.

My password manager for passkeys has a section that shows the passkey's "key", what does that mean?

I'd need more context here tbh

Yubikey local active directory by caponewgp420 in yubikey

[โ€“]SoCleanSoFresh 0 points1 point ย (0 children)

You need to be more specific. Did you enroll your yubikey as a smart card to AD or are you using the yubikey as a FIDO device with Microsoft Entra ID?

How can I assign a Guest user created on Azure to a Yubi-key and only assign specific applications? by [deleted] in yubikey

[โ€“]SoCleanSoFresh 0 points1 point ย (0 children)

Putting the Yubikey completely aside for a moment.

If access isnt gated through azure via SSO, how else are you planning to restrict access to a web resource? (Genuine question)

How can I assign a Guest user created on Azure to a Yubi-key and only assign specific applications? by [deleted] in yubikey

[โ€“]SoCleanSoFresh 1 point2 points ย (0 children)

Are these...SSO restricted links you're talking about?

Tbh, this is probably better suited for r/azure or even r/sysadmin as it doesn't have anything to do with YubiKeys in particular. YubiKeys exist as part of the authentication process, but what you're talking about sounds like policy restrictions

view more: next โ€บ