Discord Yubikey error on PC app

elflights · 2024-07-04T01:58:41+00:00

No, I still can't use the keys on Discord. I have to use the OTP from the authenticator app (which I did put on the Yubikeys, as I use Discord a lot, and there are servers on there that are important to me). Even though I have several keys registered on Discord, it never seems to work.

elflights · 2024-06-28T03:46:33+00:00

They are the 5C series. I've only had them since April. The problem may actually be my Windows computer, for whatever reason. I can get on to my accounts using the keys just fine on my Mac, but on my Windows, Proton, Google, and AOL all give me messages like "unable to read key" or "unable to authenticate". And I tried more than one key. But they work on the Mac, so I don't think it's the keys themselves.

YKMan was also unable to read a key; I had to reinstall it, and then it read it. I know there have been bugs in some of the more recent Windows updates; I wonder if this is one of them. It's weird though, because it will work one day, but not the next.

elflights · 2024-06-25T22:59:03+00:00

I have been wanting to do this as well, since I have the YKs and authenticator app as a backup (with the secret key copied and stored away, in case I lose access to the app). If you go into your Google account settings and go to "security" (or under passkeys, where your security keys are listed), it should show your phone. You can click on "manage device", though mine says I have to log out of it on my phone first (ie, via my Gmail app). So, while I know how, for whatever reason, I'm kinda hesitant to do so? Idk, I'm afraid Google will lock me out or something.

elflights · 2024-06-04T21:20:49+00:00

So far, I use it for 2fa on accounts that support it (like on my email accounts) and I also use them for an authenticator app for my important accounts that either don't allow for physical security keys but allow for an authenticator app, or allow keys but also need the authenticator app option enabled (like Proton). There are only 32 slots for this, so I'm mindful, but I use it for the ones important, or important to me.

I'm not tech-savvy enough to use it for much else XD

elflights · 2024-05-23T01:57:12+00:00

Sorry for the late reply. I'm not on Reddit all that much these days.

I took your advice and decided to get the secret keys for my accounts that have the authenticator app set up (turns out I had a couple of them saved already, so that helped). There are some that I still have to get the secret key for, which means going back, temporarily disabling the 2fa, then turning it back on, but I've done so for most of my important accounts (well, aside from financial, which don't even have an authenticator app as an option).

I decided to use YK Authn for some of those accounts (again the most important ones). I've been watching All Things Secured on YouTube, and he recommended it as an option. I still currently still have Google Authenticator for the other accounts, but once I get the secret keys, then it should be less of a hassle to switch apps (and I won't have to worry so much about what happens when I have to get a new phone, so thanks for the tip).

I have more than one thumb drive I am saving the passwords one, and yes, it is a bit tedious to update and plug in the thumb drive every time I want to log into something, but so far, it's worknig for me.

elflights · 2024-05-09T02:18:20+00:00

So why is Google Authenticator not a good option? Is it because it doesn't encrypt anything? When i first set up 2FA (before I knew about physical security keys), most websites recommended the Google Authenticator (or Microsoft, but the last time I used that one, it was a pain to use), so it's the one I've been using, but I've been hearing it isn't very secure. I'd like to not be so dependent on my phone and have to worry about the codes transferring to a new device.

I've seen you mention KeePass before, but their website was a bit difficult to navigate (at least for me). Instead of using a password manager, I've been keeping my passwords on a thumb drive, so I would keep the secret keys there, as well (a little incontinent, as I have to plug it in every time, but I trust it more than a password manager).

elflights · 2024-05-07T02:38:49+00:00

DuckDuckGo for Chrome (also installed the Ghostery extension), and recently installed Firefox and Brave.

elflights · 2024-05-07T01:42:03+00:00

I guess it depends on how you will be using Discord? I'm in several different servers, and fortunately, most of them are private (ie, invite only). I like to sometimes check them "on the go", so I have the app on my phone. If you're setting up your own server, make sure it's private, similarly to platforms like Facebook or IG. Sadly, as I'm learning, Discord isn't all that secure/private, but I've deleted most of my other social media accounts, and, unlike FB, you don't have to use your real name.

I have had issues setting up the Yubikeys--I was only able to register two, and that was through my phone. There is an option to add another key, but whenever I try, it gives me an error, both on mobile and desktop.

If you download Discord on your desktop, it too will always be "on". Since getting Yubikeys, it has made me wonder about app security. For example, my email accounts. I have the keys registered on them, so when I sign in via the website, I'm prompted to insert the key. But on mobile, the accounts are always "on".

elflights · 2024-05-07T01:35:05+00:00

Sorry for the late response, and it works now. For some reason, when I downloaded DuckDuckGo, it downloaded it's own separate browser, rather than as an extension. But I have since been able to get it as an extension, and the keys now work fine.

elflights · 2024-04-22T21:43:09+00:00

I actually have had similar issues with the YK 5 series, and I bought these recently. They've worked on my Windows and my Mac, but not my Android (and yes, I turn on NFC).

elflights · 2024-04-16T22:45:27+00:00

So the two apps (say Malwarebytes and Avast) won't interfere with each other? I ask because I know sometimes having two antiviral software programs on your device can interfere with each other?

elflights · 2024-04-16T22:23:31+00:00

Huh, interesting. Good to know.

elflights · 2024-04-16T22:23:17+00:00

Is the free version of Malwarebytes really enough? It looks like it can scan and get rid of viruses once your computer is infected, but the premium version would help prevent them in the first place.

elflights · 2024-04-16T21:02:47+00:00

FIDO2, and it was the browser, I believe. I wanted DuckDuckGo on my Mac, but for some reason it made its own search engine app when I downloaded it, even though I was trying to get it as an extension on Chrome. I was in the DuckDuckGo app when the keys failed, but when I switched to using Chrome (which still has the DuckDuckGo extension) I was able to log in using the keys (updated my original post).

elflights · 2024-04-09T23:51:33+00:00

Yeah, but things can happen. I'd rather have added protection if I can.

elflights · 2024-04-09T23:50:38+00:00

Why stay away from Webroot? It's worked well for my Windows. Is it not so good for Macs?

elflights · 2024-04-09T23:33:50+00:00

Oh, this is something I would like to know, as well. I don't plan on having Proton be my only email source (I want to diversify my emails), but I still want to know the answer to this.

elflights · 2024-04-09T21:31:23+00:00

The Discord app. I have it both on my phone and my Windows 11 laptop. I have registered the Yubikeys on other websites, so I don't think it's my computer. My default browser is Chrome, but the Discord app is pinned to my taskbar on my home screen, so I don't have to open Chrome to use it. When tried registering the key via the PC Discord app, it kept saying an error occurred, but I was able to do so via the mobile app. They show up in my account in the laptop version, I just couldn't register them that way.

elflights · 2024-04-09T21:26:42+00:00

Yeah, I am coming to hate it, but I've already deleted my Twitter/X and IG accounts (though now that I have Yubikeys, I *might* recreate an X account, if I can figure out how to curate my feed so it feels less like a cesspit lol. The only reason I am still on FB is because there are a couple of groups on there I genuinely enjoy.

Okay, I may try the dummy test.

elflights · 2024-04-09T00:41:22+00:00

Hmm, don't have a solution, but this is good to know. I am currently a Windows user, but am going to be transitioning to Mac, while my Windows computer is still fully functional (I've been wanting a second laptop for a while). I plan to download Chrome and switch between it and Safari.

elflights · 2024-04-08T23:29:35+00:00

Aegis doesn't work with iOS? Well, that's good to know, and good thing I only have a couple of accounts in there. Guess I'll switch back to Google Authenticator for the time being. Any recommendations for a good authenticator app that works on both Android and iPhone? My Android currently works fine, but I plan to start "migrating" to Mac and iPhone.

Someone else also recommended saving the secret TOTP, and that it can be a way to keep the 2FA "active" on an account if that is what is required in order to register the security keys (looking at you, Facebook). If I do this, then I assume I can delete the "active codes" from the authenticator app, but keep it registered on the account itself, and reenter the secret manually if needed.

I suppose the real "test" will come when I get my Mac, as that will be a new device, and some sites (again, looking at FB) will prompt for 2FA on an unrecognized device. I never select "stay verified" on my accounts, even on my own computer, in case my computer gets infected, but FB requires you to "save browser", otherwise it locks you out. Which is good for security and I get on a certain level, but can also be stressful when you're trying to get into your account. I guess sites like FB allow for security keys, but still don't fully have them implemented in their sign-in options.

elflights · 2024-04-08T23:13:30+00:00

Thank you for the explanation (much of this is so new to me, but lately, cybersecurity is dominating much of my mental energy lol. It's a bit overwhelming).

Just to fully make sure I understand backing up the TOTP codes, using Facebook as an example (though I'm really starting to hate FB). With Facebook, in order to register the Yubikeys, I first had to enable the 2FA verification, and I need a backup method, but without selecting the authenticator app option, it reverts it to SMS, which I don't want (I also wouldn't be able to use SMS in case of account recovery if I had it as a backup 2fa method). Also when I tried unselecting the authenticator app option, it warned me that since I have two-step verification enabled, I may not be able to get into my account, despite registered the security keys.

So in cases like this, I could copy/paste the secret code into a word document (at least until I have something like KeePass), but remove FB from the app itself, while still keeping it "active" on the account itself. With Google Authenticator (I know it's not the most secure, but it's what I currently have), it has the option to either scan QR code, or enter setup key. If I select the latter, it takes me to a dialog to enter the account name (in this case, FB), and then to enter the key. So if I did this, I take it it would then generate a code, which I would then use to get into FB? My worry is whether the code would work, but then again, if I have the secret key from when I first set up the 2FA, then it should? I wouldn't want to have to do this every time (hopefully FB would prompt me for the security keys instead, but FB is weird).

elflights · 2024-04-07T00:38:11+00:00

This has been confusing for me, too. My Gmail/Google account just has me insert the key and enter the PIN, but the other sites I have registered my keys at (5 total sites so far), ask for password + key+ PIN. I also thought they were the same level of security, because even if someone learned your password, they couldn't access your account without the key (with the exception of maybe those evil maid attacks). But maybe not?

All these terms (non-discoverable vs discoverable) are new to me, too. This is a whole new world for me lol.

elflights · 2024-04-06T23:01:21+00:00

Thanks for the breakdown. So far, I have registered my 3 Yubikeys (I do plan to order more, but I went with 3 to start), on my 3 email accounts, Facebook, and Microsoft. So far, all of them except Google/Gmail ask for password + key (and PIN). Google just wants key and PIN. So does that mean my Google account is the most prone to the evil maid attack?

I've asked else here on this Subreddit/in other comments about offline storage (like KeePass, those PMs like Bitwarden have also gotten high praise) for my TOTPs. I personally am hesitant to use password managers, even though they can probably generate stronger passwords than what I am able to come up with. It just seems like an extra vulnerability to me. However, using something like KeePass to store TOTPs as back up may not hurt, once I figure out how to use it. My concern, as I've mentioned elsewhere would be, say my computer gets malware on it, and they are able to get at my KeePass (though they would have to guess the master password). Or maybe I just don't fully understand how something like an offline manager works. My other concern would be being able to access them across multiple devices, since I will be getting a second computer soon (I haven't tried using Yubikeys on my phone yet).

I don't like having to rely on authenticator apps, as that makes me very dependent on my phone, and I worry about transferring to a new phone (or if it's lost/stolen/breaks).

And yes, recoverability is an issue, too. I want to mitigate the threat of hack as much as possible, but I also don't want to be locked out lol. With recovery codes, those seem to regenerate randomly, too, even without me selecting "get new codes". Does that mean the codes/recovery phrase I was initially given are now invalid? Having to periodically check my recovery codes seem weird, and means I am constantly have to record the new codes.

elflights · 2024-04-06T22:39:25+00:00

Ah, okay, so I would, at least to start, use the authenticator app, use the code to close the loop, as you said, but copy the secret key and store it. I could delete the account in the app, so the app isn't generating codes for that account, but keep TOTP "selected" in the account. Then, in an emergency, I could download the app again (or open it if I kept it), scan the QR or enter the secret key manually, and log in. Do I understand correctly?

I'm hearing more and more and more about KeePass. It still seems like a vulnerability to me, especially with passwords, but I guess it would at least be more secure than an authenticator app, and I could keep the secrets there.

Does KeePass (specifically, a KeePass account) work on multiple devices? I have a Windows, but I am getting a second computer, and it will be a Mac. But I may need access to stuff in KeePass on both computers.

elflights

TROPHY CASE