I am struggling at the moment as my credit card and PayPal won't let me use them until they send me a text with a pass code. I ordered some stuff online yesterday afternoon and the pass code came through at 11 last night??
Gina
Do you use LastPass? Security Bulletin. (1 Viewer)
- Thread starter Gromett
- Start date
Gina
Ejaydee
LIFE MEMBER
- Jul 25, 2018
- 351
- 1,873
- Funster No
- 55,136
- MH
- Roller Team T 590
- Exp
- Since retiring
Gomett, please excuse my ignorance, but what would you do if you physically lost the YubiKey, how would you then access all your accounts? I understand the trick is not to lose the key, but we are all human and loss of small things is a human falibility!
The main problem with physical (Yubi)keys and other similar dongle devices is you need the physical item.
This may be fine on the office/home on a PC, but is totally impractical on the street when you are trying to find a PIN code for a card in a shop or in the passport queue when they want a copy or a number of something.
2FA could be made simpler by a password and then a physical proof of retinal ID, face recognition, voice recognition or fingerprint (or instant DNA in the future)
This may be fine on the office/home on a PC, but is totally impractical on the street when you are trying to find a PIN code for a card in a shop or in the passport queue when they want a copy or a number of something.
2FA could be made simpler by a password and then a physical proof of retinal ID, face recognition, voice recognition or fingerprint (or instant DNA in the future)
I had face recognition on my old phone, it NEVER recognised me first thing in the morning
Gina
I have just checked and yes, Paypal support Yubi key. They didn't last time I checked a few years ago so I have been using the phone authentication.
Just enabled my YubiKey on it. Thanks for the prompt. That will save me some time in future
Subscribers do not see these advertisements
I never found it to be a problem. I have it on my keychain. I simply swipe it across the back of the phone.
Having 2FA built into the phone is not as secure as having a separate physical unhackable device as I described in a previous post.
Physical keys like the Yubi at the best possible security. But if you don't like them no one is forcing you
I note that they recommend having a second key for back up? Making it even more expensive and when reading the reviews although mostly good there are a few issues raised about applications that do not subscribe to yubi
heres a sensible review from Amazon
READ THIS BEFORE BUYING !!!!!!!!!
Reviewed in the United Kingdom on 19 September 2020
Size Name: YubiKey 5 NFC
I'm a technologist and consider myself far more technically capable than the average consumer. Before purchasing this, in my mind, I thought I could use it for everything and simply tap the button when logging into anything I wanted. This is but a dream that may never materialise because it requires various parties to standardise authentication flows and practices. I've listed a few use-cases below and how they work in the real world;
WINDOWS 10 LOGIN - You can add several Yubikeys which is nice. You still have to type in your Windows username and password, if an enrolled Yubikey is not present in one of your USB ports, Windows 10 won't log you in (which is cool). However, it only works with local accounts, not domain accounts or Microsoft ID. So if you login to your laptop or PC with your Microsoft Account (email address) then you'll have to convert your account to local (which is actually really easy and it just means your wallpaper and stuff won't sync to other Windows 10 machines). Secondly, you'll need to install the Yubico Login Configuration tool to set this up.
AMAZON SHOPPING/PRIME - You can add several Yubikeys which is great but you can't just login by having the key plugged into a USB port and touching the button. You still put in your credentials and then use the MFA code from the Yubico MFA app (which lists the codes associated with your key). So basically, I ditched the Microsoft Authenticator app, the Google Auth App and another one I was using, installed the Yubico auth app and enrolled MFA again for my critical apps and services.
PAYPAL - You can only add one MFA method at a time and have Mobile SMS as a backup. So you have a choice, risk a single Yubikey and if you loose it, you're stuck. Or, use a weak mobile secondary text message service as a recovery option! - Bit pointless in my opinion!
LINKEDIN - You can only have one MFA method - Again, single Yubikey and it's not a case of plugging it in/tapping it on your phone via NFC. You still have to enter your creds, unless auto-saved/populated by the app or device or browser and then copy the MFA code from the Yubico MFA app (desktop or mobile).
FACEBOOK - The most accommodating and best experience, second only to Windows 10. You can several keys and it's just a touch to login. You must have an MFA auth app setup as a backup which can be anything, but as I was using the Yubico MFA app I just used that for FB too. You're not force to use a weaker mobile SMS as a backup/recovery option and you're not asked for creds all the time.
RECOMMENDATION - Use in conjunction with a great credential manager like LastPass or KeePass - Thank me later!
I hope that all makes sense, in summary it does add security but that comes with complexity. The amount of security you get depends on what website, app or service you are looking to integrate this with. I think these are over priced to be honest, you would get much better value from having LastPass + LastPass MFA app, having a different robo-generated password for each thing you use and ditching mobile recovery options and all other MFA apps, plus you can't miss-place a password keeper solution.
IMPROVEMENTS NEEDED;
1) Prompt, yes/no, allow/deny in the Yubico MFA app(s).
2) Better integration and awareness with common third parties.
3) Further simplification, although easy for me, my mum would give this 5 minutes of effort and throw it in the bin.
65 people found this helpful
heres a sensible review from Amazon
READ THIS BEFORE BUYING !!!!!!!!!
Reviewed in the United Kingdom on 19 September 2020
Size Name: YubiKey 5 NFC
I'm a technologist and consider myself far more technically capable than the average consumer. Before purchasing this, in my mind, I thought I could use it for everything and simply tap the button when logging into anything I wanted. This is but a dream that may never materialise because it requires various parties to standardise authentication flows and practices. I've listed a few use-cases below and how they work in the real world;
WINDOWS 10 LOGIN - You can add several Yubikeys which is nice. You still have to type in your Windows username and password, if an enrolled Yubikey is not present in one of your USB ports, Windows 10 won't log you in (which is cool). However, it only works with local accounts, not domain accounts or Microsoft ID. So if you login to your laptop or PC with your Microsoft Account (email address) then you'll have to convert your account to local (which is actually really easy and it just means your wallpaper and stuff won't sync to other Windows 10 machines). Secondly, you'll need to install the Yubico Login Configuration tool to set this up.
AMAZON SHOPPING/PRIME - You can add several Yubikeys which is great but you can't just login by having the key plugged into a USB port and touching the button. You still put in your credentials and then use the MFA code from the Yubico MFA app (which lists the codes associated with your key). So basically, I ditched the Microsoft Authenticator app, the Google Auth App and another one I was using, installed the Yubico auth app and enrolled MFA again for my critical apps and services.
PAYPAL - You can only add one MFA method at a time and have Mobile SMS as a backup. So you have a choice, risk a single Yubikey and if you loose it, you're stuck. Or, use a weak mobile secondary text message service as a recovery option! - Bit pointless in my opinion!
LINKEDIN - You can only have one MFA method - Again, single Yubikey and it's not a case of plugging it in/tapping it on your phone via NFC. You still have to enter your creds, unless auto-saved/populated by the app or device or browser and then copy the MFA code from the Yubico MFA app (desktop or mobile).
FACEBOOK - The most accommodating and best experience, second only to Windows 10. You can several keys and it's just a touch to login. You must have an MFA auth app setup as a backup which can be anything, but as I was using the Yubico MFA app I just used that for FB too. You're not force to use a weaker mobile SMS as a backup/recovery option and you're not asked for creds all the time.
RECOMMENDATION - Use in conjunction with a great credential manager like LastPass or KeePass - Thank me later!
I hope that all makes sense, in summary it does add security but that comes with complexity. The amount of security you get depends on what website, app or service you are looking to integrate this with. I think these are over priced to be honest, you would get much better value from having LastPass + LastPass MFA app, having a different robo-generated password for each thing you use and ditching mobile recovery options and all other MFA apps, plus you can't miss-place a password keeper solution.
IMPROVEMENTS NEEDED;
1) Prompt, yes/no, allow/deny in the Yubico MFA app(s).
2) Better integration and awareness with common third parties.
3) Further simplification, although easy for me, my mum would give this 5 minutes of effort and throw it in the bin.
65 people found this helpful
Last edited:
Langtoftlad
LIFE MEMBER
- Apr 12, 2011
- 8,865
- 151,341
- Funster No
- 16,024
- MH
- WildAx Aurora FB [PVC]
- Exp
- Since 2015
Yup - such a "valued customer" that they don't even remember his name . . .
I note that they recommend having a second key for back up? Making it even more expensive and when reading the reviews although mostly good there are a few issues raised about applications that do not subscribe to yubi
heres a sensible review from Amazon
READ THIS BEFORE BUYING !!!!!!!!!
Reviewed in the United Kingdom on 19 September 2020
Size Name: YubiKey 5 NFC
I'm a technologist and consider myself far more technically capable than the average consumer. Before purchasing this, in my mind, I thought I could use it for everything and simply tap the button when logging into anything I wanted. This is but a dream that may never materialise because it requires various parties to standardise authentication flows and practices. I've listed a few use-cases below and how they work in the real world;
WINDOWS 10 LOGIN - You can add several Yubikeys which is nice. You still have to type in your Windows username and password, if an enrolled Yubikey is not present in one of your USB ports, Windows 10 won't log you in (which is cool). However, it only works with local accounts, not domain accounts or Microsoft ID. So if you login to your laptop or PC with your Microsoft Account (email address) then you'll have to convert your account to local (which is actually really easy and it just means your wallpaper and stuff won't sync to other Windows 10 machines). Secondly, you'll need to install the Yubico Login Configuration tool to set this up.
AMAZON SHOPPING/PRIME - You can add several Yubikeys which is great but you can't just login by having the key plugged into a USB port and touching the button. You still put in your credentials and then use the MFA code from the Yubico MFA app (which lists the codes associated with your key). So basically, I ditched the Microsoft Authenticator app, the Google Auth App and another one I was using, installed the Yubico auth app and enrolled MFA again for my critical apps and services.
PAYPAL - You can only add one MFA method at a time and have Mobile SMS as a backup. So you have a choice, risk a single Yubikey and if you loose it, you're stuck. Or, use a weak mobile secondary text message service as a recovery option! - Bit pointless in my opinion!
LINKEDIN - You can only have one MFA method - Again, single Yubikey and it's not a case of plugging it in/tapping it on your phone via NFC. You still have to enter your creds, unless auto-saved/populated by the app or device or browser and then copy the MFA code from the Yubico MFA app (desktop or mobile).
FACEBOOK - The most accommodating and best experience, second only to Windows 10. You can several keys and it's just a touch to login. You must have an MFA auth app setup as a backup which can be anything, but as I was using the Yubico MFA app I just used that for FB too. You're not force to use a weaker mobile SMS as a backup/recovery option and you're not asked for creds all the time.
RECOMMENDATION - Use in conjunction with a great credential manager like LastPass or KeePass - Thank me later!
I hope that all makes sense, in summary it does add security but that comes with complexity. The amount of security you get depends on what website, app or service you are looking to integrate this with. I think these are over priced to be honest, you would get much better value from having LastPass + LastPass MFA app, having a different robo-generated password for each thing you use and ditching mobile recovery options and all other MFA apps, plus you can't miss-place a password keeper solution.
IMPROVEMENTS NEEDED;
1) Prompt, yes/no, allow/deny in the Yubico MFA app(s).
2) Better integration and awareness with common third parties.
3) Further simplification, although easy for me, my mum would give this 5 minutes of effort and throw it in the bin.
65 people found this helpful
1) I have never loaded a Yubico app. I don't know why he needs one to be honest?
2) third party integration is not Yubi's job it is the job of the companies and companies are coming on board with it really fast.
3) I do not know how it could be made simpler????
With respect to 3 above. Making it simpler... I do not know how they could do this. I just registered My Yubikey with paypal. It was a 2 step process.
Click the register button, touch the key, give it a name.
I also think the review is out of date.
Paypal, does allow multiple yubikeys.
Windows 10 login and Amazon. Of course you still need to put in your credentials. The Yubi key is a 2nd factor not a primary factor. The whole point of 2 factor authentication is that it requires both something you know and something you own.
A password can be hacked/leaked, but this does no good if the hacker does not have access to your physical key.
A thief in the real world may be able to steal your yubi key but he cannot steal the password from your brain.
For a thief to be successful he must hack your computer AND steal your physical key. That is the whole point of 2FA.
PS: It is worth noting that this is not a YubiCo proprietary system. YubiCo have just implemented the international standards in a very high quality, rugged and easy to use package.
YubiKey's support: FIDO2/WebAuthn, U2F, Smart card, OpenPGP, OTP
Subscribers do not see these advertisements
That is something you would need to plan for. Multiple options.
Have a back up 2FA. Some apps offer an emergency code which you can print out and keep in a safe place.
Have a 2nd key which you register with the apps. So if one breaks or you lose it...
It’s this bit I find more informative it’s all very well if you are computer expert but for some of us it gets a bit to complicated? As in different set ups for different applications
I worked for over 30 years in software development and training people to use software.
With any new app, internal or external, that we expected the users to use we used to give to 'June'.
The original June was our technically illiterate receptionist. In other words, just like many of our users.
She would be given the new app, told the basics, and we would watch how she got it running, what bits she found (and the bits she did not), we then made decision on what needed changing and whether we would go with that app.
It came as no surprise to me, but a big surprise to the developers, just how many apps (or major parts of apps) failed the June test.
Bottom line is if a 50 something technically illiterate person can not pick up the app and make it work inside 5 minutes, then the app is effectively useless in the public domain.
With any new app, internal or external, that we expected the users to use we used to give to 'June'.
The original June was our technically illiterate receptionist. In other words, just like many of our users.
She would be given the new app, told the basics, and we would watch how she got it running, what bits she found (and the bits she did not), we then made decision on what needed changing and whether we would go with that app.
It came as no surprise to me, but a big surprise to the developers, just how many apps (or major parts of apps) failed the June test.
Bottom line is if a 50 something technically illiterate person can not pick up the app and make it work inside 5 minutes, then the app is effectively useless in the public domain.
Had it early this morningU.Toadifact Brains Langtoftlad DBK
Oh Ye of little faith.
I did check this out before passing it on to you.
But if you don't believe me OR the DIRECT on the lastpass.com website blog that I linked maybe you will believe a 3rd party trusted news site?
LastPass developer systems hacked to steal source code
Password management firm LastPass was hacked two weeks ago, enabling threat actors to steal the company's source code and proprietary technical information.www.bleepingcomputer.com
Give it time OR check your spam box.
Here is the thing. registering a YubiKey in an app should be no more than
1) Click a button to initiate the process.
2) Touch the YubiKey on the gold disk
3) Optionally give it a name.
That really is all that is necessary to register a key. A good app will however send an email asking for confirmation to activate it and perhaps ask for a password before activation.
If a user cannot figure out how to activate a yubikey then it is the fault of the app not the yubikey or the key process (which is dead simple).
I am also a software developer and have 20 x June's on the beta list. They can break stuff in ways that no sane person would ever imagine.
Subscribers do not see these advertisements
One major maritime company spent 2 years and millions of pounds developing an amazing database app.
They then put it out to thousands of users.
Then the requests started to roll in at the rate of dozens per hour,
it does not do this, it does not do that, its missing this or that.
It did do all the things, it was just too difficult for the users to find the feature in 2 or 3 clicks.
I took over and had the interface completely redesigned. I made it so that all the basic requirements could be all driven by function keys (mouse optional). I also made it so that people could easily switch between the old interface and the new 'kids version' as the developers called it.
Within a month the only people using the original interface were IT, Development and Research. All the actual users had switched to the simple version and the calls dropped to 1 or 2 a day
They then put it out to thousands of users.
Then the requests started to roll in at the rate of dozens per hour,
it does not do this, it does not do that, its missing this or that.
It did do all the things, it was just too difficult for the users to find the feature in 2 or 3 clicks.
I took over and had the interface completely redesigned. I made it so that all the basic requirements could be all driven by function keys (mouse optional). I also made it so that people could easily switch between the old interface and the new 'kids version' as the developers called it.
Within a month the only people using the original interface were IT, Development and Research. All the actual users had switched to the simple version and the calls dropped to 1 or 2 a day
DumfriesDik
Free Member
Obvs. Sorry, ambiguous post. I agree, great they told us, yes, great communication. It was the thought that my passwords may be compromised, not great of course.
No problems, Perhaps I misread the intent sorry.Obvs. Sorry, ambiguous post. I agree, great they told us, yes, great communication. It was the thought that my passwords may be compromised, not great of course.
But no, your passwords are safe. Knowing how something is done does not mean you automatically know how to undo it. The encryption they use on your passwords in pretty rock solid in the view of some extremely experienced experts in the field.
My concern with them getting access to the developer account is that is may give them insight into the infrastructure and a means to make fake copies of the lastpass software.
Last edited:
Minxy
LIFE MEMBER
- Aug 22, 2007
- 32,686
- 66,696
- Funster No
- 149
- MH
- Carthago Compactline
- Exp
- Since 1996, had Elddis/Swift/Rapido/Rimor/Chausson MHs. Autocruise/Globecar PVCs/Compactline i-138
OooooOooooooo ... sounds like fun! If you ever get stuck for a guinea pig leg me know as I like puzzles and will promise to try my hardest to break it - my brain works differently to most as the company who provided the timetabling software found out when I discovered a completely different way to do something on it they hadn't even thought of!
Thanks for the offer. But it is for a financial services company in Canada so only Canadians can realistically use it.
Subscribers do not see these advertisements
Minxy
LIFE MEMBER
- Aug 22, 2007
- 32,686
- 66,696
- Funster No
- 149
- MH
- Carthago Compactline
- Exp
- Since 1996, had Elddis/Swift/Rapido/Rimor/Chausson MHs. Autocruise/Globecar PVCs/Compactline i-138
I could emigrate I suppose ..
2FA using phone or phone based authenticator apps were sidestepped by a few of these companies. Whilst 2FA using your phone is better than just a raw username/password combo. It is not as secure as a hardware key such as the Yubi Key. Which is the point I was trying to make earlier.
Not for everyone, but if security is important well worth considering.
arstechnica.com
Not for everyone, but if security is important well worth considering.
The number of companies caught up in in recent hacks keeps growing
2FA provider Authy, password manager LastPass, and DoorDash all experienced breaches.
Minxy
LIFE MEMBER
- Aug 22, 2007
- 32,686
- 66,696
- Funster No
- 149
- MH
- Carthago Compactline
- Exp
- Since 1996, had Elddis/Swift/Rapido/Rimor/Chausson MHs. Autocruise/Globecar PVCs/Compactline i-138
2FA authentication is good but .... it can also be a pain in the bum!
I got an O2 sim (PAYG) which I registered it in my name, topped up from my bank account and put into my Mum's phone which she obviously has all the time in the care home. Trouble is that in order to check the balance I have to do it via by sending a text or making a call from the phone with O2 sim in, or by logging in online which sounds simply enough except in order to do so as well as logging in with my ID and password I need a code which is sent by text to the sim in Mum's phone. Unfortunately the last time I tried to get Mum to give me a code off her phone she got very confused so it's not something I can ask her for and as the care home is in lockdown as they have covid in it (not Mum fortunately) I can't visit to use the phone to check the balance.
I've rung O2 and they said they can't help me as ... surprise surprise ... I won't be able to give them a code they want to send to the phone ... same with online chat ... no code, no dice! This is despite my being able to pass any other security they could ask me so I put in a complaint about receiving a code being the only way to verify the account to which I've had a response which just says because I couldn't pass the security verification (no sh@t Sherlock!!!) they were not at fault so haven't upheld my complaint, totally missing the point I was making that they should have another method to get security clearance!!! I cited the reason being that as Mum had misplaced her phone once, despite it being found, if she did so again and it was lost how could I prove that I was the account holder to get the sim frozen and a new one despatched. Whether I'll get my point across this time I don't know ... here's hoping.
The only thing that may prove useful is that I was advised to contact the accessibility team via a request for assistance form which I completed, as they may be able to help due to my Mum who's 97 having the phone and my not being able to get access to it. I've had a response from them and they again state how to use a code ... BUT have said that giving details of when I topped up, by how much and from where they should be able to give me the balance, I've sent that info back today so you never know I might, just might, be able to find out before the home opens for visitors again at the end of the week (all being well ... literally!) when I should be able to snaffle the phone anyway!
I'm quite happy that they are careful but I feel like I'm dealing with robots who don't take in what's being told to them and just give the party line response ... all I want to do is ensure there's enough dosh on the phone for my Mum but without loading it up much in case she loses it and I can't then get a new sim for her on the account.
..... and breathe!
I got an O2 sim (PAYG) which I registered it in my name, topped up from my bank account and put into my Mum's phone which she obviously has all the time in the care home. Trouble is that in order to check the balance I have to do it via by sending a text or making a call from the phone with O2 sim in, or by logging in online which sounds simply enough except in order to do so as well as logging in with my ID and password I need a code which is sent by text to the sim in Mum's phone. Unfortunately the last time I tried to get Mum to give me a code off her phone she got very confused so it's not something I can ask her for and as the care home is in lockdown as they have covid in it (not Mum fortunately) I can't visit to use the phone to check the balance.
I've rung O2 and they said they can't help me as ... surprise surprise ... I won't be able to give them a code they want to send to the phone ... same with online chat ... no code, no dice! This is despite my being able to pass any other security they could ask me so I put in a complaint about receiving a code being the only way to verify the account to which I've had a response which just says because I couldn't pass the security verification (no sh@t Sherlock!!!) they were not at fault so haven't upheld my complaint, totally missing the point I was making that they should have another method to get security clearance!!! I cited the reason being that as Mum had misplaced her phone once, despite it being found, if she did so again and it was lost how could I prove that I was the account holder to get the sim frozen and a new one despatched. Whether I'll get my point across this time I don't know ... here's hoping.
The only thing that may prove useful is that I was advised to contact the accessibility team via a request for assistance form which I completed, as they may be able to help due to my Mum who's 97 having the phone and my not being able to get access to it. I've had a response from them and they again state how to use a code ... BUT have said that giving details of when I topped up, by how much and from where they should be able to give me the balance, I've sent that info back today so you never know I might, just might, be able to find out before the home opens for visitors again at the end of the week (all being well ... literally!) when I should be able to snaffle the phone anyway!
I'm quite happy that they are careful but I feel like I'm dealing with robots who don't take in what's being told to them and just give the party line response ... all I want to do is ensure there's enough dosh on the phone for my Mum but without loading it up much in case she loses it and I can't then get a new sim for her on the account.
..... and breathe!
That is not the fault of 2FA really. It is the fault of the company. They could allow you to set 2 phone numbers/emails to receive the code. That would be the simplest solution. But not sure how many people have this issue to make the development time worth the effort for them?
But, that to one side. Have you considered using remote access software. Teamviewer is the one that springs to mind. Please note. I have never used any of this software before so I don't know if it would work for your use case, nor can I recommend a specific product. But it may solve your issue for now?
Or possibly https://www.splashtop.com/en-gb/remote-access-view-control-android-phones-tablets
Subscribers do not see these advertisements
Minxy
LIFE MEMBER
- Aug 22, 2007
- 32,686
- 66,696
- Funster No
- 149
- MH
- Carthago Compactline
- Exp
- Since 1996, had Elddis/Swift/Rapido/Rimor/Chausson MHs. Autocruise/Globecar PVCs/Compactline i-138
Which thread would that be? There are so many to choose from at present!Relax and go onto the other thread where they are talking a load of shit
Gina
Minxy
LIFE MEMBER
- Aug 22, 2007
- 32,686
- 66,696
- Funster No
- 149
- MH
- Carthago Compactline
- Exp
- Since 1996, had Elddis/Swift/Rapido/Rimor/Chausson MHs. Autocruise/Globecar PVCs/Compactline i-138
Yes, it's not 2FA that's the problem as you say but the company only having ONE method of verification, I did ask if it could be sent to my email instead but that's not an option, it has to be the phone with the sim in, very silly IMV.
Thanks for the suggestion but the trouble with that is my Mum's phone isn't smart, it's one of these so it won't work:
DumfriesDik
Free Member
Seems the security is working well here. It is preventing someone from uploading funds onto mums phone, now we wouldn't want that to happen would we?! I feel your pain.
Join us or log in to post a reply.
To join in you must be a member of MotorhomeFun
Join MotorhomeFun
Join us, it quick and easy!
Log in
Already a member? Log in here.