Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Any Yubikey users? Question and BlackFriday promo
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Any Yubikey users? Question and BlackFriday promo

Hi all,

And I want to ensure the best security possible on a sensitive Gmail account and after reading a lot about 2FA it seems using a Yubico Key is more secure than 2FA using phone app like Google Authenticator for example.

So I’m very interested in buying a YubiKey 4 (https://www.yubico.com/product/yubikey-4-series/#yubikey-4) using their current BlackFriday promo https://www.yubico.com/save/

But before I buy, I want to know if with this YubiKey 4 I can completely stop using my phone as 2FA equipment.

I already know that YubiKey 4 can be used as 2FA on Gmail and many other services, but my question is if it can also be used in ALL other websites that allow/support Google Authenticator?

Or no, it depends on the website?

Thanks

Note: I know this is now Yubico helpdesk, but because the promotion is running just this days I really need a fast response to decide If I buy or not.

Comments

  • It's a similar product, only done in hardware. I'd argue that it's actually somewhat less secure, provided you never have your phone out of your own hands- how about your keys?

    You're going to need the NEO for USB-1/2/3 port access, which does work with 2FA. However, they suggest keeping your phone in case you don't have your key for authentication- so, what purpose does it really add? Well, you get to feel cool using it, but it's nowhere near the keyfobs we had back in the 90s with their simple 8 numeric OTP.

    Let's mention their OTP setup. The OTP is just a string with it's own ID attached and it goes through their own API. As far as I can tell, that's it's entire security protocol (beyond any hashes generated between the device itself internally and what they have stored on their servers.

    Save your $50 and write /dev/random to a 64MB USBfob. It's just about as useful for a private hash, and you don't need to use an external auth/API to identify yourself.

  • @WSS

    Thanks for your detailed explanation! But Im still confused. Can a Yubikey 4 work with ALL websites that support Google Authenticator phone app? Or not all websites (it depends on the website)?

    Anyone? Thanks!

  • @nqservices it's kind of a supplement. You're probably still going to need your phone.

  • For what it's worth, these things are a dime a dozen under different names. If you just want ease of access without needing to be tied to yet another device, get a SecurID.

  • @WSS

    Once again thanks. I really wanted a solution where phone is not needed for any 2FA website. Yubikey 4 seemed like the solution.

    From your explanation it seems you are not currently using. Anyone using Yubikey 4 that can share their feedback? Can it work for ALL websites that support Google Authenticator phone app?

    Thanks

  • I have a same-as tool under a different name. It can be used to unlock, as long as you write your credentials to it, and have the supporting software on any machine you use.

  • SpartanHostSpartanHost Member, Host Rep

    @nqservices said:
    @WSS

    Once again thanks. I really wanted a solution where phone is not needed for any 2FA website. Yubikey 4 seemed like the solution.

    From your explanation it seems you are not currently using. Anyone using Yubikey 4 that can share their feedback? Can it work for ALL websites that support Google Authenticator phone app?

    Thanks

    I have the Yubikey Neo (says it has most capabilities of the Yubikey 4 so I assume it's the same) and it works fine with all sites that work with Google authenticator, the device app looks similar to Google Authenticator. I just add the secret into the Yubico Authenticator app like on Google Authenticator and that's it. You can set a password for accessing it too.

    https://www.yubico.com/support/knowledge-base/categories/articles/yubico-authenticator-download/

  • @SpartanHost said:

    I have the Yubikey Neo (says it has most capabilities of the Yubikey 4 so I assume it's the same) and it works fine with all sites that work with Google authenticator

    >

    Thanks for your explanation! So in a simple way, your Yubikey Neo works with ALL websites that support Google Google Authenticator mobile app?

    Just to make sure, not just the websites listed at: https://www.yubico.com/solutions/ but ALL websites, with no exceptions, without using a phone, correct?

    Also any other special advice or recommendation regarding Yubikey, since you are using it?

    Thanks!

  • SpartanHostSpartanHost Member, Host Rep

    @nqservices said:

    @SpartanHost said:

    I have the Yubikey Neo (says it has most capabilities of the Yubikey 4 so I assume it's the same) and it works fine with all sites that work with Google authenticator

    >

    Thanks for your explanation! So in a simple way, your Yubikey Neo works with ALL websites that support Google Google Authenticator mobile app?

    Just to make sure, not just the websites listed at: https://www.yubico.com/solutions/ but ALL websites, with no exceptions, without using a phone, correct?

    Also any other special advice or recommendation regarding Yubikey, since you are using it?

    Thanks!

    Correct. Not really, I use both that TOTP element and the U2F, U2F is of course best used for sites that support it such as the ones in the link you provided but the TOTP element works for ALL sites that work with Google Authenticator, it's basically just Google Authenticator on a stick. No phone needed for the actual stick to operate, just a computer/phone that can run the app.

    Thanked by 1nqservices
Sign In or Register to comment.