How many Yubikeys?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
yules
Posts: 627
Joined: Wed Nov 27, 2019 9:31 am

How many Yubikeys?

Post by yules »

Bogleheads,

After lots of research (and blog posts) I finally have some around to the conviction that I should use Yubikey to lock down my email and whichever financial accounts support it. I see that the general recommendation is to have 2 Yubikeys in case 1 is lost or stolen. But is the suggestion 2 per device?

I have a desktop, Android phone, and iPad, all with different connectors. So that would mean the recommendation is or me to have 6 Yubikeys?

I'm curious to know how other Bogleheads with multiple devices think about Yubikeys. Do you actually have 2 per device, or do you limit the types of devices you use to access your email, financial accounts, etc?

(Not sure if this belongs in "Personal Finance" or "Consumer issues", apologies if it's the wrong place)

Thank you,
Yules
User avatar
VictorStarr
Posts: 742
Joined: Sat Jan 04, 2020 9:13 pm
Location: Washington

Re: How many Yubikeys?

Post by VictorStarr »

yules wrote: Tue Aug 30, 2022 11:49 am Bogleheads,

After lots of research (and blog posts) I finally have some around to the conviction that I should use Yubikey to lock down my email and whichever financial accounts support it. I see that the general recommendation is to have 2 Yubikeys in case 1 is lost or stolen. But is the suggestion 2 per device?

I have a desktop, Android phone, and iPad, all with different connectors. So that would mean the recommendation is or me to have 6 Yubikeys?

I'm curious to know how other Bogleheads with multiple devices think about Yubikeys. Do you actually have 2 per device, or do you limit the types of devices you use to access your email, financial accounts, etc?

(Not sure if this belongs in "Personal Finance" or "Consumer issues", apologies if it's the wrong place)

Thank you,
Yules
2 or 3 total.
If your desktop has USB-C port this YubiKey 5C NFC may work with all your devices -
https://www.yubico.com/product/yubikey-5c-nfc/

For easy of use, I recommend this nano key -
https://www.yubico.com/product/yubikey-5c-nano/
increment
Posts: 1682
Joined: Tue May 15, 2018 2:20 pm

Re: How many Yubikeys?

Post by increment »

yules wrote: Tue Aug 30, 2022 11:49 am I have a desktop, Android phone, and iPad, all with different connectors. So that would mean the recommendation is or me to have 6 Yubikeys?
Well, you can't count on registering 6 keys at any particular site. (Vanguard's limit is 4.)

If your phone has a USB C connector, can you use a USB A key (for recovery purposes) via an adapter? Does your phone speak NFC, which the current Yubikeys have? If your iPad requires the lightning connector, then you have to get Yubico's 5ci, which already has USB C.
twh
Posts: 1739
Joined: Sat Feb 08, 2020 2:15 pm

Re: How many Yubikeys?

Post by twh »

2 is not a good idea
3 is min IMO
4 is better

In case you are not aware, you can reuse them for different accounts. That is, you can use the same 4 keys for Gmail, Vanguard, etc.
gavinsiu
Posts: 4347
Joined: Sun Nov 14, 2021 11:42 am

Re: How many Yubikeys?

Post by gavinsiu »

No, you do not get a separate key for each client. All you need is one key for all of your cient and use a default. For example, I have a USB-C key with NFC. On a windows or a Mac, I plug the yubikey into my usb port. If the port is not USB-C I use an USB-C to USB-A adapter. On my mobile phone, I use the NFC. There is no need to get multiple keys.

I do have a backup key store in a safe place in case the original is lost.

Keep in mind many accounts have a limit on the number of keys, It's usually 4. ON some sites like Bank of America, it's 2.
ThankYouJack
Posts: 5704
Joined: Wed Oct 08, 2014 7:27 pm

Re: How many Yubikeys?

Post by ThankYouJack »

Not to thread jack, but if you don't have your Yubikey, can't you still reset your passwords to your accounts? Is the password reset process through Vanguard the same?
ilisira
Posts: 130
Joined: Tue Mar 11, 2008 3:04 pm

Re: How many Yubikeys?

Post by ilisira »

I do agree that 2 is not enough. I am using 4, where one is always in my backpack (I used to travel a lot, not that much, but still just in case), and one is with my keychain. One is on my desk, when I need to use it during the day, and one backup at a safe place.

I always used yubikeys, however just recently I bought two of these: https://www.amazon.com/gp/product/B089Z ... UTF8&psc=1
They do support USB-C (both laptop/iPad have USB-C, and there are ways to convert a lightning port on iphone to USB-C), and NFC. Something like this might be a good option depending on what kind of connector you have on your iPad, and phone.
User avatar
LadyGeek
Site Admin
Posts: 95095
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: How many Yubikeys?

Post by LadyGeek »

This thread is now in the Personal Consumer Issues forum (Yubikey).
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: How many Yubikeys?

Post by rebellovw »

I have a bunch - I have:
1 on each car key ring (2)
1 I wear.
1 saved in an envelope

The idea here is if I'm on vacation - and I lose the one I wear - I'll have one on a key chain.
Topic Author
yules
Posts: 627
Joined: Wed Nov 27, 2019 9:31 am

Re: How many Yubikeys?

Post by yules »

Thanks, all, for the responses.

I'm thinking that a few Yubikeys (I've been persuaded to go from 2 to 3!) with an adapter should suffice.

Best,
Yules
gnujoe2001
Posts: 123
Joined: Mon Jan 13, 2014 1:21 am

Re: How many Yubikeys?

Post by gnujoe2001 »

1 per person, if you have a household. You can register each others keys as backup as appropriate.

If Yubi is the only 2FA method, then maybe add in an offsite key somewhere.
User avatar
anon_investor
Posts: 15091
Joined: Mon Jun 03, 2019 1:43 pm

Re: How many Yubikeys?

Post by anon_investor »

yules wrote: Tue Aug 30, 2022 11:49 am Bogleheads,

After lots of research (and blog posts) I finally have some around to the conviction that I should use Yubikey to lock down my email and whichever financial accounts support it. I see that the general recommendation is to have 2 Yubikeys in case 1 is lost or stolen. But is the suggestion 2 per device?

I have a desktop, Android phone, and iPad, all with different connectors. So that would mean the recommendation is or me to have 6 Yubikeys?

I'm curious to know how other Bogleheads with multiple devices think about Yubikeys. Do you actually have 2 per device, or do you limit the types of devices you use to access your email, financial accounts, etc?

(Not sure if this belongs in "Personal Finance" or "Consumer issues", apologies if it's the wrong place)

Thank you,
Yules
We have 4, and each one is used on multiple accounts.
User avatar
K72
Posts: 436
Joined: Wed Dec 05, 2018 7:04 pm

Re: How many Yubikeys?

Post by K72 »

I have 2. If one is lost or fails, I'll get another. Why isn't that sufficient?
All we want are the facts...
twh
Posts: 1739
Joined: Sat Feb 08, 2020 2:15 pm

Re: How many Yubikeys?

Post by twh »

K72 wrote: Tue Aug 30, 2022 6:06 pm I have 2. If one is lost or fails, I'll get another. Why isn't that sufficient?
Let's say you lose one and the backup one is defective...or the dog gets it...or it falls to the bottom of the file cabinet and you can't find it...or or or.
User avatar
riverant
Posts: 1064
Joined: Tue May 04, 2021 6:51 am

Re: How many Yubikeys?

Post by riverant »

I have one permanently in my computer and another on my keychain. However, neither of my brokerages support it (fidelity and merril edge) so it’s just used on my gmail, Facebook, and checking account.
hoofaman
Posts: 921
Joined: Tue Jul 14, 2020 3:39 pm

Re: How many Yubikeys?

Post by hoofaman »

I have 3, I keep 2 at home updated/paired and then rotate the 3rd key every few months which is kept offsite

I'm more concerned about a bad actor gaining access to my email account than my bank account. With the bank, there are at least laws in place to protect me. For most people an email account takeover would be the worst possible form of identity theft, the bad actor would have the keys to everything, yet this is not even acknowledged as official "identity theft"
freakyfriday
Posts: 184
Joined: Tue Aug 23, 2022 10:00 am
Location: London

Re: How many Yubikeys?

Post by freakyfriday »

Bear in mind not all services will allow you to add multiple keys. As such the ability to recover access is important.

Another less orthodox option is the Ledger hardware wallet intended for use with cryptocurrencies. It has a U2F mode that is recoverable from the same seed as the crypto accounts.

Finally, be mindful of the different connectors. Rather than 3 Yubikeys could you have 2 and a USB-c adapter?

I also have some U2F keys not made by Yubikey which are cheaper at the cost of less features and less ruggidability.


Final thought, as not enough love is given in BH to hardware password managers like Mooltipass. Take a look, if you want a hardware based 2FA rather than TOTP I suspect that would appeal too...
User avatar
K72
Posts: 436
Joined: Wed Dec 05, 2018 7:04 pm

Re: How many Yubikeys?

Post by K72 »

hoofaman wrote: Wed Aug 31, 2022 6:46 am I'm more concerned about a bad actor gaining access to my email account than my bank account. With the bank, there are at least laws in place to protect me. For most people an email account takeover would be the worst possible form of identity theft, the bad actor would have the keys to everything, yet this is not even acknowledged as official "identity theft"
This is precisely why I've removed my every day email (which does not have a 2FA option) from all of my financial institutions. I created a gmail account (protected with Yubikeys) that is used only for financial matters, including password reset. If my normal email were to be hacked, nothing of financial value would be lost.

Edit: though it was a royal pain to methodically change my contact information in all of my accounts, it was ultimately beneficial in that I found several cases where I had out of date email and/or phone information.
Last edited by K72 on Wed Aug 31, 2022 12:36 pm, edited 1 time in total.
All we want are the facts...
rebellovw
Posts: 1748
Joined: Tue Aug 16, 2016 4:30 pm

Re: How many Yubikeys?

Post by rebellovw »

K72 wrote: Wed Aug 31, 2022 12:22 pm
hoofaman wrote: Wed Aug 31, 2022 6:46 am I'm more concerned about a bad actor gaining access to my email account than my bank account. With the bank, there are at least laws in place to protect me. For most people an email account takeover would be the worst possible form of identity theft, the bad actor would have the keys to everything, yet this is not even acknowledged as official "identity theft"
This is precisely why I've removed my every day email (which does not have a 2FA option) from all of my financial institutions. I created a gmail account (protected with Yubikeys) that is used only for financial matters, including password reset. If my normal email were to be hacked, nothing of financial value would be lost.
Agreed 100% - my Google Advanced Security gmail with Yubikey - is my locked down email used for everything.
User avatar
beyou
Posts: 6801
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: How many Yubikeys?

Post by beyou »

Sorry to revive an old thread from 2022, but I just started using Yubikey and frankly don't see why I need more than 1.
Since Vanguard (and google) still have backup methods of authentication, phone based mainly, if somehow my device was lost or broken, one can use the backup method to login, remove your old Yubikey device and add a new one that you would purchase when needed.

What am I missing here ?

The only reason I even considered buying more than one was the interface.
My primary devices (MacBooks, laptops) still have USB-A and I have an NFC enabled iPhone, so the USB-A/NFC device meets my needs mostly.
The only gap I found for devices was my iPad does not support NFC like the iPhone, but I really don't use the iPad as a substitute for my MacBook. If I really wanted to use the iPad, could get an adapter from USB-A to lightening, or buy another key that supports lightening. Of course lightening and USB-A are both being phased out, so I decided to go with only 1 device that I would use most frequently or now. I might buy a USB-C/NFC device later when I upgrade to a new Mac with USB-C. Of course can use an adapter and then I'll have 2 working Yubikeys but I really don't see the immediate need.
gavinsiu
Posts: 4347
Joined: Sun Nov 14, 2021 11:42 am

Re: How many Yubikeys?

Post by gavinsiu »

beyou wrote: Fri Feb 09, 2024 11:36 am Sorry to revive an old thread from 2022, but I just started using Yubikey and frankly don't see why I need more than 1.
Since Vanguard (and google) still have backup methods of authentication, phone based mainly, if somehow my device was lost or broken, one can use the backup method to login, remove your old Yubikey device and add a new one that you would purchase when needed.

What am I missing here ?

The only reason I even considered buying more than one was the interface.
My primary devices (MacBooks, laptops) still have USB-A and I have an NFC enabled iPhone, so the USB-A/NFC device meets my needs mostly.
The only gap I found for devices was my iPad does not support NFC like the iPhone, but I really don't use the iPad as a substitute for my MacBook. If I really wanted to use the iPad, could get an adapter from USB-A to lightening, or buy another key that supports lightening. Of course lightening and USB-A are both being phased out, so I decided to go with only 1 device that I would use most frequently or now. I might buy a USB-C/NFC device later when I upgrade to a new Mac with USB-C. Of course can use an adapter and then I'll have 2 working Yubikeys but I really don't see the immediate need.
If implemented properly, you should have only the strongest type of 2FA and no fallback. If you have fallback, people can still bypass your yubikey using the weaker method. Let's say a hacker is targeting your account and they hack your password and connect and notice that it's hardware key protected. They can't continue because they need the physical key. But wait, the hacker notices you have a SMS fallback, so he uses social engineering to get your cell phone provider to take over your cellphone number, now they take over your account, remove your login and profile info so you can't login and then empty your acount.

To properly secure the account, you should have at least 2 hardware key. One is for your use and the other is so you can go and delete the old key and add the key key should the one you have is lost or destroyed. By using fall back, your only advantage is that you are more phishing resistent. On an account with hardware key and SMS fallback, you should only use the hardware key to login. If you get a SMS request, something is probably wrong.
User avatar
beyou
Posts: 6801
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: How many Yubikeys?

Post by beyou »

gavinsiu wrote: Fri Feb 09, 2024 11:46 am
beyou wrote: Fri Feb 09, 2024 11:36 am Sorry to revive an old thread from 2022, but I just started using Yubikey and frankly don't see why I need more than 1.
Since Vanguard (and google) still have backup methods of authentication, phone based mainly, if somehow my device was lost or broken, one can use the backup method to login, remove your old Yubikey device and add a new one that you would purchase when needed.

What am I missing here ?

The only reason I even considered buying more than one was the interface.
My primary devices (MacBooks, laptops) still have USB-A and I have an NFC enabled iPhone, so the USB-A/NFC device meets my needs mostly.
The only gap I found for devices was my iPad does not support NFC like the iPhone, but I really don't use the iPad as a substitute for my MacBook. If I really wanted to use the iPad, could get an adapter from USB-A to lightening, or buy another key that supports lightening. Of course lightening and USB-A are both being phased out, so I decided to go with only 1 device that I would use most frequently or now. I might buy a USB-C/NFC device later when I upgrade to a new Mac with USB-C. Of course can use an adapter and then I'll have 2 working Yubikeys but I really don't see the immediate need.
If implemented properly, you should have only the strongest type of 2FA and no fallback. If you have fallback, people can still bypass your yubikey using the weaker method. Let's say a hacker is targeting your account and they hack your password and connect and notice that it's hardware key protected. They can't continue because they need the physical key. But wait, the hacker notices you have a SMS fallback, so he uses social engineering to get your cell phone provider to take over your cellphone number, now they take over your account, remove your login and profile info so you can't login and then empty your acount.

To properly secure the account, you should have at least 2 hardware key. One is for your use and the other is so you can go and delete the old key and add the key key should the one you have is lost or destroyed. By using fall back, your only advantage is that you are more phishing resistent. On an account with hardware key and SMS fallback, you should only use the hardware key to login. If you get a SMS request, something is probably wrong.
SMS via phone carrier is not the only fallback.
I use google voice for Vanguard, and my google account is also not secured with carrier SMS.

Google voice is plenty secure and Vanguard supports it (I know not all banks/brokers allow Google voice but I use it where it is allowed).

So in such case as Vanguard where you MUST have SMS why have 2 Yubikeys ?
gavinsiu
Posts: 4347
Joined: Sun Nov 14, 2021 11:42 am

Re: How many Yubikeys?

Post by gavinsiu »

beyou wrote: Fri Feb 09, 2024 11:48 am SMS via phone carrier is not the only fallback.
I use google voice for Vanguard, and my google account is also not secured with carrier SMS.

Google voice is plenty secure and Vanguard supports it (I know not all banks/brokers allow Google voice but I use it where it is allowed).

So in such case as Vanguard where you MUST have SMS why have 2 Yubikeys ?

Google voice is only secure if you secure it. What are using to secure your Google voice? For maximum security, you should use a pair of hardware key and then remove the fallback. If you have a SMS fallback on your google account, your google voice can be compromised by SMS. If you use TOTP or google prompt as the 2FA, then your google voice is vulnerable to phishing. If you have some sort of passkey, then it's probably pretty secure depending on how the passkey is stored.

In any system where there is a non-hardware key fallback, you only need one key, because you can use the fallback to add a new key and remove the old one. Sadly, many passkey and 2fa almost all have sms or email fallback, making them somewhat less secure they they appear to be.
twh
Posts: 1739
Joined: Sat Feb 08, 2020 2:15 pm

Re: How many Yubikeys?

Post by twh »

beyou wrote: Fri Feb 09, 2024 11:36 am Sorry to revive an old thread from 2022, but I just started using Yubikey and frankly don't see why I need more than 1.
Since Vanguard (and google) still have backup methods of authentication, phone based mainly, if somehow my device was lost or broken, one can use the backup method to login, remove your old Yubikey device and add a new one that you would purchase when needed.

What am I missing here ?

The only reason I even considered buying more than one was the interface.
My primary devices (MacBooks, laptops) still have USB-A and I have an NFC enabled iPhone, so the USB-A/NFC device meets my needs mostly.
The only gap I found for devices was my iPad does not support NFC like the iPhone, but I really don't use the iPad as a substitute for my MacBook. If I really wanted to use the iPad, could get an adapter from USB-A to lightening, or buy another key that supports lightening. Of course lightening and USB-A are both being phased out, so I decided to go with only 1 device that I would use most frequently or now. I might buy a USB-C/NFC device later when I upgrade to a new Mac with USB-C. Of course can use an adapter and then I'll have 2 working Yubikeys but I really don't see the immediate need.
Having more than one backup method is a good thing. Especially when it could lock you out of your Gmail forever or you lose half your life trying to get it back.
User avatar
beyou
Posts: 6801
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: How many Yubikeys?

Post by beyou »

gavinsiu wrote: Fri Feb 09, 2024 11:54 am
beyou wrote: Fri Feb 09, 2024 11:48 am SMS via phone carrier is not the only fallback.
I use google voice for Vanguard, and my google account is also not secured with carrier SMS.

Google voice is plenty secure and Vanguard supports it (I know not all banks/brokers allow Google voice but I use it where it is allowed).

So in such case as Vanguard where you MUST have SMS why have 2 Yubikeys ?

Google voice is only secure if you secure it. What are using to secure your Google voice? For maximum security, you should use a pair of hardware key and then remove the fallback. If you have a SMS fallback on your google account, your google voice can be compromised by SMS. If you use TOTP or google prompt as the 2FA, then your google voice is vulnerable to phishing. If you have some sort of passkey, then it's probably pretty secure depending on how the passkey is stored.

In any system where there is a non-hardware key fallback, you only need one key, because you can use the fallback to add a new key and remove the old one. Sadly, many passkey and 2fa almost all have sms or email fallback, making them somewhat less secure they they appear to be.
The text you quoted said I do not use SMS for Google 2FA, see highlighted above.
I use my new yubikey and I have google prompt on 2 physical devices (phone/iPad), and a long complex password that does not use any real words.

How is google prompt vulnerable ?
This is from google support

https://support.google.com/accounts/ans ... 20attempt.
You can get Google prompts on any eligible phone that’s signed in to your Google Account.

If your phone is eligible, Google will automatically try to use Bluetooth for additional protection when you sign in to new devices. We use Bluetooth to help block suspicious sign-in attempts from devices that aren’t physically close to your phone.
So somebody would have to be nearby physically, that sounds pretty secure to me.

As far as phishing, I am pretty diligent about email and downloading stuff.
I never use a mail client to download emails (no macros).
I never click email links, I go to the site directly in a browser.
Phishing is something to be vigilant about all the time.

Finally I have my phone with me almost all the time, don't want to carry around yubikey everywhere I go.
My phone gives me access to google, and any other device must have this phone or my yubikey to access google.
I don't see how losing my phone and losing my yubikey are any different.
I would need to deactivate whatever device I lost, replace it and active a new replacement device ASAP.
So why are 2 Yubikeys better than 1 Yubikey and 1 phone ?
Last edited by beyou on Fri Feb 09, 2024 5:07 pm, edited 1 time in total.
User avatar
beyou
Posts: 6801
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: How many Yubikeys?

Post by beyou »

twh wrote: Fri Feb 09, 2024 12:26 pm
beyou wrote: Fri Feb 09, 2024 11:36 am Sorry to revive an old thread from 2022, but I just started using Yubikey and frankly don't see why I need more than 1.
Since Vanguard (and google) still have backup methods of authentication, phone based mainly, if somehow my device was lost or broken, one can use the backup method to login, remove your old Yubikey device and add a new one that you would purchase when needed.

What am I missing here ?

The only reason I even considered buying more than one was the interface.
My primary devices (MacBooks, laptops) still have USB-A and I have an NFC enabled iPhone, so the USB-A/NFC device meets my needs mostly.
The only gap I found for devices was my iPad does not support NFC like the iPhone, but I really don't use the iPad as a substitute for my MacBook. If I really wanted to use the iPad, could get an adapter from USB-A to lightening, or buy another key that supports lightening. Of course lightening and USB-A are both being phased out, so I decided to go with only 1 device that I would use most frequently or now. I might buy a USB-C/NFC device later when I upgrade to a new Mac with USB-C. Of course can use an adapter and then I'll have 2 working Yubikeys but I really don't see the immediate need.
Having more than one backup method is a good thing. Especially when it could lock you out of your Gmail forever or you lose half your life trying to get it back.
The question is not should I have 2 options, the question if why they should both be Yubikey as is often recommended.
In fact for Vanguard they force you to have SMS as a backup option, so having 2 Yubikey means you'll have 3 options to get in.
Many complain about requirement for SMS, but as long as you use google voice, and secure your google account, then I don't see the need FOR VANGUARD for a 2nd Yubikey. Next question is whether it's better to use 2 Yubikey for Google or Yubikey and something else. I am not thrilled about having only one dependency either but there is another thread where Vanguard's yubikey service was not running for one day, so if you had 2 methods and both are Yubikey, you would be out of luck. In reality you'd have a single dependency on their yubikey FIDO services (which Vanguard does not allow).
funyun
Posts: 86
Joined: Tue Oct 31, 2023 11:07 am

Re: How many Yubikeys?

Post by funyun »

The spouse and I have a total of 5 yubikeys, all set with the same logins. We each keep one our keychain and one generally in the vicinity of our computers, and then one goes in the safe deposit box. We update the one in the SDB quarterly.
jayjayc
Posts: 633
Joined: Tue Jun 25, 2013 11:38 pm

Re: How many Yubikeys?

Post by jayjayc »

The approach to deciding how many backup Yubikeys to have is similar to how many backup house keys you have. I personally like to have several on hand for different scenarios.

Your phone can act as a Yubikey for some accounts. I know Gmail and Bitwarden accept modern phones as a Fido2 key since they have a security chip inside.
User avatar
beyou
Posts: 6801
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: How many Yubikeys?

Post by beyou »

jayjayc wrote: Fri Feb 09, 2024 4:45 pm The approach to deciding how many backup Yubikeys to have is similar to how many backup house keys you have. I personally like to have several on hand for different scenarios.

Actually I don't think this is a good analogy and does not address my question.

A service like Vanguard or others yes should have 2 keys, but unlike a conventional lock on your door, they can be two completely different kinds of keys. A better home analogy would be if you had a lock that could be opened with a physical key or a digital code, and either could open the lock.

And of course with 2FA, it's like having 2 locks on your door, one opened with a code, the other with a key.
If the 2nd could ONLY be opened with a physical key, then yeah, I would make a copy.
But if I could have a different digital code AND a key for the 2nd lock, how are 2 physical keys better than 1 physical and one code if they
both open the 2nd lock ? THAT is my question. I have 2 2FA keys for Vanguard, but they are not the same type of keys.
PersonalFinanceJam
Posts: 652
Joined: Tue Aug 24, 2021 8:32 am

Re: How many Yubikeys?

Post by PersonalFinanceJam »

I was thinking about a yubikey some time back but with the advent of PassKeys I don’t really see the need for the physical device. Granted all my devices are Apple so everything syncs between them pretty easily.
rich126
Posts: 4407
Joined: Thu Mar 01, 2018 3:56 pm

Re: How many Yubikeys?

Post by rich126 »

PersonalFinanceJam wrote: Fri Feb 09, 2024 5:53 pm I was thinking about a yubikey some time back but with the advent of PassKeys I don’t really see the need for the physical device. Granted all my devices are Apple so everything syncs between them pretty easily.
I actually played around with them but so many companies don't support them it made no sense to use them since it would just be another item I would need to keep track of. If everyone supported them I would use it.
----------------------------- | If you think something is important and it doesn't involve the health of someone, think again. Life goes too fast, enjoy it and be nice.
PersonalFinanceJam
Posts: 652
Joined: Tue Aug 24, 2021 8:32 am

Re: How many Yubikeys?

Post by PersonalFinanceJam »

rich126 wrote: Fri Feb 09, 2024 6:11 pm
PersonalFinanceJam wrote: Fri Feb 09, 2024 5:53 pm I was thinking about a yubikey some time back but with the advent of PassKeys I don’t really see the need for the physical device. Granted all my devices are Apple so everything syncs between them pretty easily.
I actually played around with them but so many companies don't support them it made no sense to use them since it would just be another item I would need to keep track of. If everyone supported them I would use it.
Bummer. I’ve certainly found the opposite to be true with the sites I visit. Some like Vanguard don’t advertise support for PassKey but they allow you to register one anyway as if it were a yubikey. At this point practically all of the sites I have either support yubikey and a PassKey can be registered or explicitly support PassKey. Certainly enough that it didn’t make sense to purchase a hardware key. Much less multiples.

I’m still dismayed at all the places which don’t support any kind of secure login method and still rely on SMS.
vm81
Posts: 94
Joined: Fri Jan 03, 2020 1:24 pm

Re: How many Yubikeys?

Post by vm81 »

Does anyone know if there is a way to see which key is associated with which service. Just want to make sure all yubikeys are registered at all services
gavinsiu
Posts: 4347
Joined: Sun Nov 14, 2021 11:42 am

Re: How many Yubikeys?

Post by gavinsiu »

beyou wrote: Fri Feb 09, 2024 4:20 pm how is google prompt vulnerable ?
This is from google support

https://support.google.com/accounts/ans ... 20attempt.
You can get Google prompts on any eligible phone that’s signed in to your Google Account.

If your phone is eligible, Google will automatically try to use Bluetooth for additional protection when you sign in to new devices. We use Bluetooth to help block suspicious sign-in attempts from devices that aren’t physically close to your phone.
So somebody would have to be nearby physically, that sounds pretty secure to me.
Keep in mind that when I try Google prompt years ago it did not use a Bluetooth check, so when someone remotely login from somewhere else in the world, you would get a prompt that you can butterfinger approve. It appears that they might have fix the issue with Bluetooth.

It’s possible to use your phone as a hardware key. I try this years ago but it only worked with certain browsers. In your case you are essentially using your phone as a second key.
eigenperson
Posts: 241
Joined: Mon Nov 09, 2015 6:16 pm

Re: How many Yubikeys?

Post by eigenperson »

beyou wrote: Fri Feb 09, 2024 11:36 am Sorry to revive an old thread from 2022, but I just started using Yubikey and frankly don't see why I need more than 1.
Since Vanguard (and google) still have backup methods of authentication, phone based mainly, if somehow my device was lost or broken, one can use the backup method to login, remove your old Yubikey device and add a new one that you would purchase when needed.

What am I missing here ?
The yubikey is unphishable. The backup method is vulnerable to phishing. To you, the risk is that you could be tricked into using your backup method.

Imagine you are tricked into accessing a convincing, fake site that looks like Vanguard. You type in your password (so now the bad guys have the password). Then, as usual, it asks you to insert your yubikey. Fortunately, the yubikey is not fooled, and will not present the credentials to the fake site. But they are ready for that. The fake site displays a generic error message like "sorry, that doesn't seem to be working" and gives you two options: "Try again" and "Try another method." If you "Try again," of course, the same thing happens. At this point, probably 98% of people will click "Try another method." The bad guys have your password, so they can cause Vanguard to send you an SMS or Google prompt at this point. You will then use the code or click the prompt, and they're in.

If you only have two yubikeys, you can't be tricked like this. This is probably why Google requires security keys exclusively in their Advanced Protection Program. Sure, if you have the discipline to never use your backup method unless your security key is lost, this isn't an issue. But like I said, 98% of people will use it if their Yubikey appears not to be working, and that makes them vulnerable.

And if you're thinking this is an awful lot of work for the attacker, you're right. I don't know of any real-world untargeted phishing attempts that go to this much effort. Most security professionals are paranoid and give paranoid advice. That said, if you face an elevated risk of targeted attacks, you should probably grow a healthy level of paranoia too.
User avatar
beyou
Posts: 6801
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: How many Yubikeys?

Post by beyou »

eigenperson wrote: Sat Feb 10, 2024 6:25 am
beyou wrote: Fri Feb 09, 2024 11:36 am Sorry to revive an old thread from 2022, but I just started using Yubikey and frankly don't see why I need more than 1.
Since Vanguard (and google) still have backup methods of authentication, phone based mainly, if somehow my device was lost or broken, one can use the backup method to login, remove your old Yubikey device and add a new one that you would purchase when needed.

What am I missing here ?
The yubikey is unphishable. The backup method is vulnerable to phishing. To you, the risk is that you could be tricked into using your backup method.

Imagine you are tricked into accessing a convincing, fake site that looks like Vanguard. You type in your password (so now the bad guys have the password). Then, as usual, it asks you to insert your yubikey. Fortunately, the yubikey is not fooled, and will not present the credentials to the fake site. But they are ready for that. The fake site displays a generic error message like "sorry, that doesn't seem to be working" and gives you two options: "Try again" and "Try another method." If you "Try again," of course, the same thing happens. At this point, probably 98% of people will click "Try another method." The bad guys have your password, so they can cause Vanguard to send you an SMS or Google prompt at this point. You will then use the code or click the prompt, and they're in.

If you only have two yubikeys, you can't be tricked like this. This is probably why Google requires security keys exclusively in their Advanced Protection Program. Sure, if you have the discipline to never use your backup method unless your security key is lost, this isn't an issue. But like I said, 98% of people will use it if their Yubikey appears not to be working, and that makes them vulnerable.

And if you're thinking this is an awful lot of work for the attacker, you're right. I don't know of any real-world untargeted phishing attempts that go to this much effort. Most security professionals are paranoid and give paranoid advice. That said, if you face an elevated risk of targeted attacks, you should probably grow a healthy level of paranoia too.
This is a good reason to use password managers and super long complex passwords that are difficult to remember and type. I NEVER type important passwords, only use my password manager. Password manager will respond only if using the correct site. Also I do not click links to sites like Vanguard or my bank, I use my own bookmarks so I know I am going to the correct site. One should protect themselves in this manner no matter what type of 2FA security you have, your password is your first line of defense.
User avatar
beyou
Posts: 6801
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: How many Yubikeys?

Post by beyou »

To summarize, I bought a Yubikey mainly to use with Vanguard, as a convenience to reduce the need for codes (both time to receive them and enter them). Since Vanguard requires sms as a backup, I am not concerned about losing access to my account, should the hardware key be lost or die. So again, why buy another ?

For sites where maybe you can use yubikey exclusively, maybe there is a security benefit, but there is a loss of access risk having only one method to authenticate. Vanguard’s yubikey was reportedly down for almost an hour back in November, so if no alternate method was available, one could not login (but since Vanguard forces use of sms you could login).

viewtopic.php?t=415836

Also I read older comments that if you have a 401k at Vanguard, you cannot eliminate the sms 2fa. Still true ? I HAD a 401k there long ago, and the site still has some references to it even though I rolled it over long ago. Not sure removing SMS would even be possible if this is still the case. And given my comment above, not sure I want to do so.
eigenperson
Posts: 241
Joined: Mon Nov 09, 2015 6:16 pm

Re: How many Yubikeys?

Post by eigenperson »

beyou wrote: Sat Feb 10, 2024 6:36 am
eigenperson wrote: Sat Feb 10, 2024 6:25 am
beyou wrote: Fri Feb 09, 2024 11:36 am Sorry to revive an old thread from 2022, but I just started using Yubikey and frankly don't see why I need more than 1.
Since Vanguard (and google) still have backup methods of authentication, phone based mainly, if somehow my device was lost or broken, one can use the backup method to login, remove your old Yubikey device and add a new one that you would purchase when needed.

What am I missing here ?
The yubikey is unphishable. The backup method is vulnerable to phishing. To you, the risk is that you could be tricked into using your backup method.

Imagine you are tricked into accessing a convincing, fake site that looks like Vanguard. You type in your password (so now the bad guys have the password). Then, as usual, it asks you to insert your yubikey. Fortunately, the yubikey is not fooled, and will not present the credentials to the fake site. But they are ready for that. The fake site displays a generic error message like "sorry, that doesn't seem to be working" and gives you two options: "Try again" and "Try another method." If you "Try again," of course, the same thing happens. At this point, probably 98% of people will click "Try another method." The bad guys have your password, so they can cause Vanguard to send you an SMS or Google prompt at this point. You will then use the code or click the prompt, and they're in.

If you only have two yubikeys, you can't be tricked like this. This is probably why Google requires security keys exclusively in their Advanced Protection Program. Sure, if you have the discipline to never use your backup method unless your security key is lost, this isn't an issue. But like I said, 98% of people will use it if their Yubikey appears not to be working, and that makes them vulnerable.

And if you're thinking this is an awful lot of work for the attacker, you're right. I don't know of any real-world untargeted phishing attempts that go to this much effort. Most security professionals are paranoid and give paranoid advice. That said, if you face an elevated risk of targeted attacks, you should probably grow a healthy level of paranoia too.
This is a good reason to use password managers and super long complex passwords that are difficult to remember and type. I NEVER type important passwords, only use my password manager. Password manager will respond only if using the correct site. Also I do not click links to sites like Vanguard or my bank, I use my own bookmarks so I know I am going to the correct site. One should protect themselves in this manner no matter what type of 2FA security you have, your password is your first line of defense.
There are ways to phish people other than having them click on links, though that's certainly the most common. Password managers are a good defense against phishing.

Though there are other ways an attacker could get your password (like those regular large-scale breaches that the news keeps trying to scare people with), which is generally not true of a hardware key credential.
gavinsiu
Posts: 4347
Joined: Sun Nov 14, 2021 11:42 am

Re: How many Yubikeys?

Post by gavinsiu »

One important setting change is to make sure your notification is not visible when your phone is locked. I have notice on some phone, the notification display entirely on the lock screen by default, so if someone steals your phone they can get access to your 2FA if SMS or google voice is used.
User avatar
beyou
Posts: 6801
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: How many Yubikeys?

Post by beyou »

gavinsiu wrote: Sat Feb 10, 2024 8:01 am One important setting change is to make sure your notification is not visible when your phone is locked. I have notice on some phone, the notification display entirely on the lock screen by default, so if someone steals your phone they can get access to your 2FA if SMS or google voice is used.
Great tip, easy to shut off the notifications.
funxional
Posts: 262
Joined: Thu Oct 27, 2022 4:29 pm

Re: How many Yubikeys?

Post by funxional »

Your security is as weak as the weakest link. What additional security does Yubikey give you if there is SMS fallback? None.

Two yubikeys as backup for each other; possibly 1-2 more but not but not required.

Yes, it's true that many sites still don't let you disable other methods of fallback. Most banks don't even support Yubikey. I think the consumer hardware is ahead of the implementation so the practical impact is limited. I believe Google lets you disable other methods.

In that case, if you want to get one just to play with it that's fine. However, adding keys can be cumbersome (trying to make sure you add it to each site) so IMO better to do at least 2 at the same time if you expect to keep using them. Eventually the platforms will catch up with the tech
Post Reply