 Welcome to the Homelab episode show. What number are we on Jay? Well, gosh, I totally forgot what number we're on. We've done so many of these and it's like, I know we're not at 50 yet. Not at 50, 45, I had to add it too. It was on the tip of my tongue. It is number 45. We had a meeting, well, Jay did one that ran over and I kind of had one that ran over as I was working on something before I got set up. So, you know, you get those distractions and your notes are not funny out right away. So this is Homelab show episode 45 where we're gonna talk about YubiKey. These things are awesome. They can save you some convenience. And this is one of those rare exceptions where it's actually relatively convenient and secure. Generally, security and convenience are at so much at odds with each other when people, this is what makes them not wanna do security or have long passwords or go through multiple steps of authentication because it's hard, it's inconvenient. And obviously, most of the attacks because they occur remotely, you can think about your threat modeling a little bit different in terms of technology. If you're someone who has a physical threat model on her, well, I'm sorry, YubiKey's probably not the solution and we're probably not the podcast for you because we're gonna focus on the technology side and securing things, not as much. I mean, yeah, it does help your physical person to the extent. We'll actually talk a little bit about that because there's an option to use a lux and encryption with YubiKey. But before we get too far off topic, let's start by thinking of sponsor of the show. That is Linoad. And Linoad has been a sponsor since the beginning. They continue to sponsor the Home Lab show and it's a great place to host and talk about all these projects. Matter of fact, let's bring it related to YubiKey. Yes, you can set your YubiKey authentication up on a Linoad server so you can log in and then need your YubiKey to get any further. This is a great way to help secure things. And once again, it's a way to be a little bit easier actually to log in than just SSH keys. It adds an extra factor of authentication, gives you that extra security. I guess the only inconvenient thing could be is if you lost your YubiKey, maybe it's part of their marketing because a lot of the suggestions are buy two YubiKeys. This is a conspiracy by the YubiKey people to get you to buy more YubiKeys. And I like to think of it as like a consequence of having ADD, like I have to buy spare things every now and then because I lose my car keys all the time, I lose everything all the time. So having another of something is always a good thing for us. So I think we could be to blame too. Could be to blame. But either way, when you set it up, it is recommended to use two of them. We'll get into why later in this video, but we wanna thank Linoad for sponsoring. Head over to linoad.com slash homelab show to get started. It gets you some free time on their servers. So go ahead and get started with that. Thanks, Linoad for doing this. We appreciate it. Yeah. I already see comments on this. We're aware of the news with Linoad. That's as far as we can really talk about it. Yeah, we haven't even had a conversation between ourselves about that as of yet. And it's kind of like one of those things we're just kind of digesting that. And- Linoad was bought by Akamai so we can get the elephant out of the room. Right, that happened. I found out late last night personally so barely I haven't even had 24 hours on it yet, but it's one of those things that I might make a video I might not, I haven't decided yet. Yeah, so, all right, that's as much as we can. We just don't have anything to say. It's not that we know anything more. Matter of fact, it turns out a lot of people didn't know this was gonna happen until it happened, like it was breaking news. I think people could probably accuse me of knowing about it, but I didn't know. I didn't know. No, that doesn't mean anything. We're not on any disclosure. We were like, oh, look at that interesting piece of news. That happened. Now, I think there's one thing that we can all agree on and let's be honest, there's few things in life that there's universal agreement on. There's always debate about everything, but I think one thing I feel safe to say that there won't be any debate on is the fact that passwords suck. Like- All they do. Who likes passwords? Like raise your hand if you think passwords are awesome. And I really don't think anyone's raising their hand unless they have oppositional defiance disorder, but no judgment on that either. Passwords are horrible. We have to try to remember them and manage them and resist the urge to make them the same across different devices, which we all know is bad. But I mean, honestly, can you say you've never done that? I mean, even I can't say that I've never done that, but you shouldn't do that and we need something better. And passwords are one of those things that I'm surprised we still have if you were to ask me 10 years ago, do you think we'd still be using passwords in 2022? I'd probably say no. We should have something better by then, but people listening can't see me, but I'm holding up a computer mouse, which is another thing that I wouldn't think we'd still be using that we've had since the 80s, but- So Star Trek lied to me. It kind of did, like, you know, like Scotty, like computer, computer, talking to your mouse. I know, I know. Scotty was, he had me hoping for the future. I remember seeing that going, I can't wait till the time like that. And it kind of gave me a bit, but that movie in particular Star Trek 4 was the very first theater movie I've ever seen in my life. Anyway, we didn't come here to talk about Star Trek, although I know a few people wouldn't mind that. Fact is passwords suck. We need something better. We're kind of like in a crossroads where we have different technologies that do exist, but they're in varying levels of adoption industry-wide. So that's kind of the hard thing is that we could develop something that's amazing and we'll replace passwords. But will people implement it? I don't know. Now, Ubiquiz give us kind of that extra layer of protection because if your username and password were to leak out without a second factor, obviously that's really all someone needs to get into your account. But with the Ubiquiz or a device like the Ubiquiz, there's another layer. So you have a button that you have to press to verify you have the thing in your hand. Or if it's NFC, you just kind of wave it around or put it in the back of your phone. And that makes it such that if someone gets your password, then hopefully they won't get any further than that. Obviously change your password. If you think it's been compromised, don't rely on the Ubiquiz to always protect you. But it's kind of one of those things that'll help you out. Now, this is a HomeLab podcast. So why do we care, right? Maybe we do, maybe we don't. But I think in today's day and age, whether you're an enterprise user, HomeLab user, this is a good thing to have because I've seen people have their Twitter accounts owned just because they have a username that another person thinks that they want more. So they take over an account just because they want the username. You don't even have to be famous. You don't even have to have a YouTube channel or anything. Sometimes you just have to consider having one or having something to help protect you. And the Ubiquiz is a hardware device that allows you to do that. And I'm in the process of making another video. There is a video on my channel already about Ubiquiz and setting them up, but I'm going to be making an updated one. You can still watch the original. Probably not that great compared to the production quality now on my channel, but it is there. But part of my desire to dust this topic off again is because the product lineup is just confusing. And when I first looked at it recently in preparation for writing this script, I mean, I've been working on it off and on for a month. Not because it's difficult. I have other things going on. But part of it was like, what do I tell people to buy? Like there's pros and cons of each. And you would think if you buy the most expensive product in a lineup, you get all the features of the ones or the models underneath it plus new features, but that's not really the case. You actually lose some features on the more expensive Ubiquiz. So I think that what we're gonna do in this video or video in this podcast episode is talk about the basics of the Ubiquiz and then in the video that I'll be putting out, I'll go a little bit more into detail about it, but there's a lot of advice I think we can give in this video. Yes. Episode. I've been recording a lot and saying video over and over again, I'm working on like 80 videos at the same time. And no, I'm not. And I also shared out Jay's video he did and how to turn on with authentication. There's a couple of PAM models you need to load in Linux. This will allow you to use Ubiquiz for your Linux desktop. This will also allow you to use Ubiquiz for your SSH and servers as you set up. So those videos already exist in those tutorials. So we're not gonna get into some of the walking you through step by step because those already exist. And I'll throw them in the show notes, but they're also when I tweeted out the show, it's in the Twitter and it's easy to find on Jay's channel. If you type in Ubiquiz, I think it's the only video you have on Ubiquiz if I'm not mistaken. I'm not aware of, I don't remember doing another one. Yeah, and that one's dated, but like I said, a new one will be coming. So first of all, what can you use a Ubiquiz for? I think that's a good place to start. And you already mentioned a few things there, right? So SSH is a big one for us because we use that a lot. So having SSH protected with the Ubiquiz, you have to press the button. Basically you type in SSH or your SSH command. You type in your password unless you have like, key authentication as you should. And then the next step is it's going to ask you to press the button on the Ubiquiz and you do that and then you're logged in. And that's one thing, protecting social media accounts, sure. You know, it doesn't have to be SSH. You could protect your Twitter account, I'm pretty sure. I don't remember what all services support it, I think most do. And you could actually have it backing several different accounts. So that way you have one security key that can get you into your desktop. You can make your login screen, even on Ubuntu, even on the GDM login screen, you can make that require someone to press the key. So you could take the key out, walk away, someone can't just, they know your password, come in behind you and log in. They need the Ubiquiz and you have it in your hand, then guess what, they can't go any further. Server logins, like you said, you could set that up. And there's even an authenticator app that they offer as well. So there's all kinds of different features here. So I think that it's something to consider and considering how bad passwords are, whether you care about this or not, I think you kind of should because we really need that extra layer of security because the minute that password leaks out there, I mean, who knows, someone could be logging into something that you'd rather they not log into. Exactly, that's a huge thing. Do we wanna talk a little bit about the, how the protocol works? Yeah, that's something I'm diving into kind of in the middle right now. So we could talk a little bit about that. And then maybe I'll just say a few things and if you can fill in some of the blanks, we could do that because there's several different terminologies that you have to know, right? There's- It makes them a little bit challenged to understand. Right, there's like OTP, there's TOTP, there's UTF, there's 502, I'm sure I'm forgetting something there because at its basic level, if you don't understand any of this stuff, right? You don't know what these terms mean and we'll talk about it in a sec. You don't really need to know at this basic level, you could set up the UV key to where you just press the button and logs you in. Do you have to know how it works under the hood? No, but we usually like to know that, that's why we're into the homelab thing because we wanna know more. But if you just wanna get started and get up and running, you just buy one, you pair it and then press the button to get in and that's it. But to understand the feature set, we do have to understand some of these terms like OTP, one-time password. I think that one is pretty self-explanatory. It's a password that you can use one time, it's a one-time password. It's something that changes regularly. For example, it increments by one as I understand it. So if you log in and then increments and then there's another one and there's another one. So I've been to explain it a little bit because I think our audience will give them a little bit more how the OTP algorithm works is, I know definitely it works, it's secure, but what if you could see it? What if you could see it and then increment it by one? And this is where it's a little bit of a cool nuance the way Ubiqui does this with the Ubiqui OTP generation algorithm. Now, good news is it's completely, if you type in OTPs explained Ubico, they have a detailed write-up. This is all open source. One of the huge things that Ubiqui does is allow all of this to be open source. So you're completely trusting the math and implementation, not deep dark sorcery secrets locked in silicone. That's a really important factor that all of this is done with open protocols. That way, from a developer standpoint, you can understand how to implement it and from a security auditing standpoint, you can go through and go, the math is good and they break down all the math in there. Now we're gonna get too deep into the math, but we will talk about how that works with the ID. So every time you touch the Ubiqui if you're using the Ubiqui OTP for authentication, it has the UID, the private secret ID, then it has the usage counter, then it has timestamp, cessation counter and random number. Each time it generates a one-time password, just as it sounds, OTP one-time password. And if that password is used, the system marks off that the increment ID was X and we've now used a one-time password. Now, what if someone were to try to intercept or get that password? I got it, you know, Tom, I copied it and it authenticated. I'm gonna try and use it again. Replay attack. The way the counter predicts against this is it increments the counter and let's say I'll use Bitwarden as an easy example. I log in at Bitwarden and let's say you were screen capturing me and you were able to somehow intercept the input of my OTP. Well, it's one time. If you tried to replay it back, the system would go, no, the counter doesn't match because I had a counter of this. I expect the counter to always be higher, even if it's multiple times higher. The reason it has to be up to multiple times higher is because what if I log into a few other services that use UBKey OTP? Well, the incrementing goes up. So it just has to be greater than the last authentication used. It can be one greater, it can be I use it 20 times greater. This is kind of the genius of how they do it and how this is why even if you were to see my UBKey and watch me type it a couple of times, you can't reverse engineer it and you can't do this. You can't intercept it and you can't replay it. This is a really important factor for how they do the UBKey. Yeah, and also we have TOTP, which is time-based. Oh, yeah. It takes the time into account. Yes, that's how you stop every play, every 30 seconds it rolls. Exactly. So then you're thinking about things like Google Authenticator and Authy and they have their own solution for that as well where you have like a code on your smartphone that's changing, you just gotta type it in really quick before it changes again and that gets you in. So there's also that. And then there's FIDO2, which I admittedly haven't done a lot with. My understanding of that though is that they're trying to get rid of passwords altogether. It's almost like a key pair relationship where you have a shared secret and then you have some information that you don't share and that gets you into sites. But I haven't really seen or researched yet how common that is yet. That's something I'm in the process of diving more into, I don't want to say yet. The adoption is definitely one of the huge challenges here. A lot of places because of the openness have adopted the UBK OTP, but some of the other authentication methods have been, I think a little slower to adopt. I think people get a little afraid to implement them. Yeah, and I understand why because if you're, I mean, you should never do this. If you're inventing your own security, you're writing your own libraries, then you could forget something or have something happen in the code or an overflow or some kind of thing that would allow somebody to get in or weaken the security. So generally speaking, you want to use something that's tried and true and that's been audited, but you get off into the weeds when you start to configure some of these things. And I think it's unfortunate that people are slow to adopt it, but it's also a good thing because we shouldn't just blindly accept every security solution that comes our way. We do need to bet it before we implement it, especially in enterprise. But that being said, it's just adoption slow. Like I remember in 1993, they said VR would be the future. Like, yeah, we still have VR now, but is it as widespread as they said it was? No. That is not the future we asked for. We didn't want to talk, because we don't want Zuckerberg in charge of that. No, I want the, what do they call it on Star Trek where you have that room you go into? The holodeck. The holodeck. Yeah, that's what I thought we would have by now with something like that. But no, here we are with the Oculus of all things. Anyway, adoption takes a while. That's the problem here, but because the Ubiqui supports several different types of authentication than chances are, whatever you use, whatever accounts you use, you'll be able to protect it with a Ubiqui. Yeah. I've seen a few people mention in, I mentioned Linux. Yes, it supports Linux, but yes, you can use a Microsoft account, even have your Microsoft login set up with it as well. So I don't want to leave the Microsoft people out. So someone you out there. Mac, Windows, Linux, it works with everything. You don't even have to have a GUI if it's a Linux server, it doesn't matter. It works with all of that. So if you can imagine it, it probably works. I haven't seen very many use cases yet, but we should kind of get one thing out of the way because you mentioned buying two and why would you do that? So the thing is, we're all human. I'm not sure how waterproof these things are. I remember one time I had a flash drive on my key ring. This is a long time ago when having a flash drive was like a really cool thing and now they're practically disposable. And I live in Michigan, so I dropped my keys in the snow when I was trying to unlock my door and the said USB flash drive no longer works. But I don't know how durable the Ubiquis are because I'm not trying to torture test them right now, but the idea is if you lose it, if it breaks, that's bad because you can't get into your accounts anymore. You need another way. So you could have another Ubiqui, maybe in a safety deposit box somewhere that you could go and grab if you need to go ahead and get into your accounts again. So having two is generally a good idea. Now, if you're like me, you can lose two. You could probably lose five of them, but that's another story held together. But at least having two because we're human, things happen, it's just the way it is. You need a backdoor to get back into your accounts and if you're relying on one Ubiqui, one really annoying thing that I've noticed with this stuff with security in general. And I think this isn't a Ubiqui problem. This is just an industry problem. I can't remember which service it was, but I had a two factor enabled as I should and I wasn't able to get in. I don't know why. So I found a button on this account. I really wish I could remember what service this was and it just said, you know, reset second factor. So I clicked on it, it sent me an email and I clicked on the link and then I was back in. And I kind of feel like if you have that on your service, then the Ubiqui itself isn't really going to help you because if a hacker got control of your email then they will also click that, I don't have the Ubiqui link. And then all of a sudden they'll reset that and they're in. So I kind of feel like having that link in a service to easily bypass second factor really just makes it worthwhile. A lot of companies, they do that to try to be a little bit more convenient to the user base, which I think is hugely wrong. And often, you know, there's even been a few crypto heists and they were able to bypass some of the two FA systems. Once there is a bypass method by link, for example, to email, there's a greater potential for that potential method, for that method to be exploited and leveraged as a way to get around some of these. So yeah, poor implementation is a huge and I've dealt with it directly in my industry. We had to call out a company and they eventually fixed it. We won't say the name of the company because they did fix it without being called out but we had to engage with them to get them to stop that ability in some enterprise software that we used. We told them, this is really wrong people. Like it's so easy to get around the two FA, it's almost pointless to have it because you can just do a reset. For my personal favorite, the SMS messages that have the code when SMS is so easy to eavesdrop on. So it's like that doesn't help much. Yeah, so poor implementation is not gonna be Yubiqui or excuse me, Yubico is the company that made the Yubiqui. It's not their fault if a service is like that. Now I do understand a service. They, it costs a lot of money to employ customer service representatives and if you don't have a way to facilitate people regaining access to their accounts, you're gonna get a lot more calls. But at the same time, the way I feel is that if I decide to use Yubiqui or a similar hardware device, then if I lose it, it's my fault, right? I don't feel like I would ever wanna put that on a customer service agent to help me because I made that decision to lock my account down so no one else could get into it. And if that also means I locked myself out, well, I took that risk when I set this up so they shouldn't have a link on there to bypass it because I made the choice to not have that. But on their standpoint, it's gonna be, but we have way too many calls and not enough people to answer them. So that's an whole other debate we can get into or maybe you could get into in your other YouTube channel, but that's not for us today. But the bottom line is have to at least just put one away in a safety deposit box or maybe stash one at a relative's house. If you trust them, if you were, do you really gotta trust where you put that thing? But at least have a second way to get in if the primary way isn't working. Or isn't possible. Yeah. So now we can kind of get into the confusing aspect of it. And this is something that I'm still wrapping my head around honestly, but the confusing nature of what to buy because there's so many of them. Now, any Yubiqui that you buy and they can be as cheap as I think $25 on up to like almost, or if not $80 US dollars depending on features, any of them will help you secure your accounts. So if you're, I mean, obviously we have a lot of tech people here, this is a tech podcast, but even if it's like a relative that's not tech savvy you want them to protect their accounts, it's pretty easy just go into the settings of the service that you are using, basically make your Yubiqui able to be that second factor and then you're done. You don't have to know about the protocol. You don't have to know what it's like behind the scenes. So the barrier of entry is small, but when you get past the barrier of entry and you're like, oh my God, which one do I buy? That's where it gets a bit confusing. And part of it, the bigger part of it is not their fault, right? Yubico, I don't think just an opinion or a theory, they wanna piss people off. I don't think they wanna do that. I don't think there's a marketing advantage to making things confusing, but the industry we have USB-C, USB type A, we have lightning and all these other different ports and the average person is going to have unlike devices nowadays USB-C is so common that it is very well possible that someone listening has USB-C on all the things and they don't care. They're just gonna buy the USB-C version of it, which is great. But then some people might have an older iPhone that doesn't have a USB port on it or maybe they need USB on the go. Then there's NFC near field communication. So there's no port. You just kind of, you could actually have it behind your phone and it gets in that way. So that's where you start to get off in the weeds because what if your laptop has USB-C and your desktop doesn't, right? You could buy an adapter, but that aside, what if you buy a USB type A UBIKI and then you wanna eventually use it on your laptop which doesn't have that. So that's when things start to get confusing and now we have the UBIKI Bio which has a biosensor or a fingerprint reader on it that adds another layer of security but that has fewer features than, because you don't have the, I believe it's NFC that you don't have with the UBIKI Bio. So there's a little confusion around that. So that's kind of what I wanna talk about next because it's just one of those things. Yeah, it looks the UBIKI Bio series FIDO edition. So supports FIDO web, web auth, available USB A and C has the fingerprint on there. But it's obviously like you said, it's missing the NFC, which is really handy. If you look at the table, it's just weird because this classic little table where you have the different levels of a product, you have the product and then super product and ultra product and goes on up regardless of what it is and you have these little green checkboxes where the first one, the cheap one has like four and then the next one has 10 and then 15. But when you look at the compare page from UBIKI, you'll notice that some of the more expensive ones are missing some checkboxes. So it's not about buying the most expensive one, it's about buying the one that has the features that you need in particular, which might mean that that $25 UBIKI is perfect for you. That's all you really need. And if you need that fingerprint reader, then of course you are going to need the fingerprint reader but then you actually sacrifice NFC, doesn't have a lightning port, it's just USB type A. So basically we're talking about desktop use at that point, but to go all the way back to the beginning and work our way up, we have the UBIKI 5 series and I'm actually looking at the table right now. So I'm hoping I don't misspeak here, but for the entry level is the security key series. So this is actually the cheapest one, $25 US dollars at the 29, it has pretty much, I think most of what people need, that you could buy a USB A version, a USB C version of that. It also has NFC, depending on which one you get, supports FIDO, we were just talking about that. It does say water resistant, so I guess I didn't notice that, it's crush resistant too. I don't know how crush resistant it can be, but maybe if you drive a car over it, it'll survive, I doubt it though. No batteries required, so there's that. And there's a whole bunch of check boxes, I'm not gonna read all of them, but what you do is you look at the check boxes and see what's missing and maybe the $25 one is perfect for you. The Ubiqui 5 series is generally what I recommend starting with because it has slightly, actually probably more than slightly more features because you get like one-time password, you can actually use OTP, OAuth, which we haven't talked about yet, open PGP, there's a bunch of additional security things that the Ubiqui 5 series will enable you to have. And at that point, it's just a matter of what connector do you have. Obviously, if you have a connector type that all your devices have, buy that one. So if everything you own has USB-C, buy USB-C. That's probably a no-brainer at this point, but if you have unlike devices, that kind of gets a little confusing. So depending on what kind of hardware you have or what you're protecting, that'll determine which version of the security key 5 series you'll go with. Yeah, and I would, like you said, the 5 series, not the security key series, but it's called the Ubiqui 5 series, has the most support for everything, including a couple of custom functions if you wanna use the personalization tool. Oddly, that's not supported on the security key series. I mean, security key series saves you a few dollars if you're buying in bulk, maybe that helps you. But once you go to the Ubiqui 5 series, you have all the features you're looking for. And they do have one for those of you that need FIPS 14, 140-2. That's just more of a compliance thing. So they do have the FIPS series one. That's really gonna only apply to people who have specific needs, usually when you're interacting with government entities. So we won't get too off topic on that because that is a debate into itself. Exactly. Now, the security key series, as I understand it, it doesn't support login to a desktop operating system or laptop operating system, Mac, Windows, Linux, whatever. There's X's for that. So if your use case is to protect logging into your computer as well, then you can't go lower than the Ubiqui 5 series at that point. That's your lowest barrier of entry right there, starting at $45. Now, one thing I think is interesting is that the little matrix here that I'm looking at, we could put a link to that in the description or whatever, but they basically list the password managers that they are compatible with, which is pretty useful. So if you use a specific password manager like Bitwarden, for example, like Bitwarden supports all of them, like literally all of them, but then they call out Dashlane. And I think this is kind of funny. There's an X on everything. So regardless of which Ubiqui you buy, you can't use it with Dashlane. So I don't know if they're just trying to make it so that people that use Dashlane know that Dashlane does not support any Ubiqui at all, whatsoever, or they might be calling out Dashlane to say, you need to support us. We're putting it right on our website that you are the only one that doesn't. So you need to kind of get with the program here. I'm not sure which it is or a mix of both, but they do list Dashlane as being pretty much impossible to use with the Ubiqui. Interestingly, the LastPass Premium won't work with the security key series. You do require a Ubiqui 5 to work with LastPass Premium as well. So I thought that was interesting. Yep. And as soon as you go to the Ubiqui 5 series, then you get support for Keeper, whatever that is. I don't know. LastPass, you know, OnePassword and Bitward and Premium. But of course, like everything else, Dashlane is a no-go. So that's not going to happen. So Dashlane, I don't know what, if it's your fault, get with the program. I don't know whose fault it is. If someone doesn't want to work with someone, that's all I can gather from that. Or they just haven't gotten around to it yet. Now, the Ubiqui Bio series is interesting, especially interesting, because that's the one. Now we're outside the five series at this point, right? So that's another series altogether. And currently, I only see one listed. I have several of these I'm going to be playing with. But it has a fingerprint reader on it. So my understanding is that you could have up to five fingerprints on your Ubiqui Bio series key, which could be useful if, you know, you want to, you know, someone you trust as an emergency, like you could have them put their fingerprint on there, make your significant other or something like that. So basically that they can get in an emergency to use it if they need to do so. But I would say I can't think of a reason why, and maybe you can, but I can't, why you would want to buy two Ubiqui Bio series keys. Because when we say that you should have two, we don't mean that you have to have two of the same. You might, if you have like a minimum feature set that you need, but it could be the case that you might have a Bio key, which is more expensive at around $80. And then your second key might be just a Ubiqui five at $45, depending on what's important to you. One's in the safety deposit box, for example, you don't have to worry about someone stealing it and using it because unless they were able to do that there, but the Ubiqui Bio series actually has, like I don't want to, I don't know if it's like the fewest features. But you're right, it does. There's a lot of X's and when you look at the Ubiqui comparison chart for those, it's definitely missing a lot. So I don't think that would go with it. Well, yeah, you know, and that's a shame because it doesn't have NFC, for example. And you would think if you're paying $80, which is their most expensive key, it can go up to $85, that you're going to get everything, right? Because you're buying the most expensive one available, but you're actually getting fingerprint access in exchange for losing a lot of other things. Now the fingerprint access is really cool because you're essentially locking the key with a fingerprint so if someone does grab that key and they don't have your fingerprint, so they can't use it. So that alone might be- It's a nice advantage it has. That is, that really is. And having five fingerprints, I mean, it's, you know, if one fingers you're eating Doritos and, you know, your left hand is especially cheesy. If you've got your right hand ready, so you just enroll your other finger on there, you know, we all snack, it's a pandemic, no judgment. You could put up to five fingerprints in there too. And that's the test we really need is how many Doritos fingers or Cheetos can I eat before my Yubi Kikwits working? There's the test we're going to have to do at some point. Did you say April Fool's joke? But no, in all seriousness, I mean, you're losing out on OTP. Nope, OAuth, nope, OpenPGP, no secure static passwords, NADA. It's not FIPS compliant. It's available in the USB-A and C, but not Lightning. And if you still have one of those, it doesn't use NFC, which NFC is really cool. It's just something about having a phone and just kind of having your Yubi key behind your phone and then it just unlocks, which is pretty neat. But you can't do that with that one. But my understanding, I haven't tested this out yet. I thought that you could set this up to have fingerprint access to log in to your computer. But I'm pretty sure, but on their diagram, they have Xs next to Windows, Mac OS and Linux for logging into the computer, which I thought you could do. I thought I read that. I'm going to be totally testing that out in my video, so I'll have a final answer on that. But according to this, they're saying that that's a no go. So it's looking like the Yubi Key 5 series is going to be for the majority of people that are watching or listening to this video or this podcast. Yeah. One of the other things, so basically sum it all up, the Yubi Key 5 series has the most features. Look at the comparison chart. That's the one I get. It's a little bit more expensive, but absolutely worth it. I am paying so you can do all the fun things with the Yubi. Yep, all the things. Yeah. Now, other cool things you can do with the Yubi Key, kind of relate that. And this is also why you may want the 5 series. Now, somebody pointed out right away at the beginning that yes, you can only do up to 32 of these, but you can store your standard TOTP authentication inside of the Yubi Key. It's got 32 slots that can be written to for scanning QR codes. It's actually really clever because you're thinking, well, I'm used to using this with my phone. How do I scan a QR code with a device? Well, this is a cross-platform application. So it works on Linux, works on Windows. It's a Yubico application that you load on your computer. You plug the key in. It will then read from the key and find any of the TOTP that you have and set all those up. And it's great. Copy, paste them that are right inside your machine and when you remove it, they're gone. There's no storage being used on your computer. The computer is simply reading it. Now, the same application works on iPhone, works on your Android device as well. And you can do this over NFC. So you can just bring the YubiKey close enough to the phone. It can read the NFC chip. It can populate your two-factor authentication. And now you have your rolling TOTP numbers. But how do you get them on there is actually really simple. Use that same YubiKey application. And when a QR code is on the screen, you can tell it to scan the screen for a QR code. And then it will scan the screen, find the QR code and update that YubiKey. Now, one real strong piece of advice is if you have two YubiKey's and you don't want to lose these TOTP codes because they're not reversible back out of the YubiKey. It does not have a methodology by which it does that. You actually will open up the application, scan the QR code, but don't close the window for whatever you're setting it up in. Then you'll program that key with the code. Remove that key, put in your second key, scan the screen again. Now, this time when it scans and sets up the code on the second key, go ahead and put the code in unless you have a third key and you want to keep repeating the process. This will allow more than one key to have the same TOTP codes. That way, if you ever lose one of those keys, you have it on your backup key. The inconvenience, of course, is if you ever forget and get these things out of sync because you've added or changed one and you forgot to do that process, you'll have to just keep that in mind to be very conscious of it. The other downside, of course, as I mentioned, 32 seems like a lot of numbers, but for those of you that have a lot of things on two-factor, I have way more than 32, so. I think I do two. Yeah. I think I do two. There is that as a disadvantage. So I would say maybe it's good for some of your really critical things, your few critical things, and then decide what app you want to use. I know someone mentioned Authy in the comments. Authys are a really popular one. I don't use Authy. I use a tool called Aegis, A-E-G-I-S. I'm a huge fan of Aegis. I plan to do a video on it pretty soon. Aegis is an open source but runs on Android application that will allow you to do two-factor authentication storage. It's got a really clever storage mechanism, but we'll talk about that at a later date. I like Authy quite a bit. I mean, I'm not sure if I'm gonna stick with it, but for right now it's fine. And just for people that don't know, Authy is like a Google Authenticator replacement and it's compatible with Google Authenticator. So if a service is saying, enable your Google Authenticator, you can use Authy in place of that as a drop-in replacement. But what's cool about that is you set up an account and I've seen people, they lose their phone or they upgrade their phone, right? And then they don't have their TOTP at all. But with Authy, you can actually log in and pull that back down, which is really useful. Just make sure you have a really good password protecting that, but obviously that can be helpful in making sure that you don't forget something. As far as whether or not I would use Ubiqui for that, I don't know yet. I'm still kind of, I don't know, maybe 70% through the outline of the video at this point. So I should have that out within a few weeks and then I'll outline those features and what I think people should be using. Yeah, and it's worth mentioning too for this because you can just take this key and bring it by your phone or bring it by someone else's phone who has the app loaded. It might be worth putting a password and locking it so you have to actually unlock the application itself. Just an extra little step because obviously if someone wanders off with your key, they're small, they're easy to lose, but they're also easy for someone else to find therefore a good way to look at this is gonna be you probably should have a password on there so other people can't read your TOTPs. The other side of this is it's your second factor of authentication, not your primary. So they would still require that they know your password and then use that. And of course, if you realize you have lost or someone has wandered off with your Ubiqui, you should go through and start resetting all of your 2FA because once it's longer in your possession, you have an unknown quantity and a story I so wish I could share about this where someone had to rekey everything because a friend of mine who works at a very large enterprise company did lose his keys. You don't think he even stole them. He left his laptop on top of his car and drove off and it was a very specific laptop supposed to be kept in a security case that was not. I am a major klutz, but I have never done anything like that. That is on a whole new level I think. It caused them to have to rekey all of servers at data centers because they didn't know the status. They said, was it in a unlocked status? He says, I honestly can't remember I was moving and I meant to put it back in the case. I put the case that he keeps it in a locked case because they had the signing keys on it so they could sign software and they very much keep it shut down, password is unlocked but he just was using it outside and he did finish something before he moved instead of not his car and put the case locked in his car. He panic when it wasn't in there then he realized I left the laptop on top of the car. Yeah, contact switching is really hard to do. You know, you're doing one thing and then you have to switch to another thing just kind of like having a meeting before this podcast started and contact switching and start this one but that's the eternal struggle of multitasking I guess. Yeah, but nonetheless do lock these devices especially because they're so easy to do and I mean, it really comes down to your personal threat level. More than likely if someone were to find this the average person doesn't know what the Ubiqui is. Sometimes we get caught up in a tech world and yes, it's a security threat but the other side of it is if my wife's seen it I don't think she would know what it is and I work in security, she knows what I do and she wouldn't know what the Ubiqui is if I asked her. Like I'm gonna throw this flash drive in the garbage because every time I put it in the computer it just spits out random gibberish and then it doesn't show or drive or anything. So obviously there's something wrong with this thing. I'm just gonna toss it is probably what most people would do I guess. Right, so those are a few thoughts on there. All right, what's the next topic? Well, I mean, I think for me that's kind of like the basic thing because the next stage, because we just talked about what it is, is how do you set it up? There's PAM modules, there's all this and that wouldn't really apply to a podcast in my opinion. That's why I mentioned your video at the beginning. Jay's got an entire tutorial of how to load the different PAM auth modules, how to set up your repository. I will make sure it's in the show notes and absolutely it's great for setting up those different authentication which includes managing the GDM, the GNOME display manager so you can use your YubiKey for your login there. You can have it as part of your sudo. So you type in your sudo password. The only thing, and I don't think this has changed Jay and Jay commented on the video on this, when you are prompted for your 2FA for your sudo, you type a sudo, it prompts you for your sudo password. It doesn't prompt you for the YubiKey. If the YubiKey is not installed, it just fails but without telling you it's the YubiKey missing. That was something I remember bringing up in the video and I'm not sure if there's a fix for it but I'm hoping to look into that and see maybe it's better now. So yeah, it's what you said. It's like it's looking for something but it failed the password but I typed the right password, what's going on here? No, the YubiKey wasn't plugged in and wasn't accessible or whatever. And sometimes it'll just wait for you to press the button but it's not telling you what it's waiting for. Obviously it wants you to press the button but it's not like, please press your YubiKey button. It just has a blinking cursor last time I tried it. To my knowledge, they still have an update of those modules in there basically. I was reading through, I didn't try setting it back up before the podcast to see if that was the case because I'm not using it currently for my law. Now, one thing that there's plenty of write-ups on but maybe I'll do a video on this is there's a way you can use it for Lux encryption. So you can use it as part of your boot up. Now I highly recommend, I've done a video on Lux encryption already but not specifically Lux plus YubiKey but with Lux encryption, it is boot time encryption. Well, it can be used for more than boot time. You can use it as just a decrypt different drives and I use it for that but Lux encryption can be set to boot partitions. That way when you boot up your computer you have to unlock it to get any further. This pretends people from doing things like removing the hard drive and getting any of the data off of it. So even if they have physical access Lux encryption is nice. Now where you can use YubiKey in this there's actually a Lux YubiKey integration and there's write ups right on YubiKey has a whole how to do this. And this allows you to then touch the YubiKey to unlock your system for finally finishing the boot up process. This is actually pretty cool but obviously you do want to make sure if you set something like this up there's ways to also combine it with a password that way they can't unlock your computer because what if you left your YubiKey in what if you have one of those little YubiKey's and you just leave it in the USB slot and someone takes your laptop when you're ordering some coffee at the coffee house and you're like, I didn't realize that you left it on there. There's also people that do things like tie a string to themselves. They got the little retractables to pull it out every time you get up from the computer. There's a few different ways to mitigate it but you can combine it with that. Now one final thing I'll mention is the YubiKey personalization tool lets you reprogram the YubiKey's. Yeah, yeah I was about to bring that up too because we have several or a couple apps. And the first thing, you know as I'm dusting this subject off as well do I need that now? No, you don't need an app to use a YubiKey. I mean, it's good to have it but you just basically attach it to your computer and then just enroll it into an account. But there's two apps. There's the YubiKey manager and the YubiKey or Yubico, I should say authenticator. The authenticator being a replacement for Google authenticator. I have not used it yet. So I can't speak about that but we also have the YubiKey manager which allows you to actually edit the features on a key. You can actually disable a feature. If it's something that you never plan on using like you just don't wanna have Fido for whatever reason just disable it. You could do that in the app and there's other things that you could do with the app as well. It's good to have not required. They have it for all the OSs, you know the Linux's and the windows and all your Mac people out there will have access to these apps phones in addition to that. So if you need more control over your YubiKey you'll download the manager and if you wanna just use the authenticator then you can download that separate app for that purpose. And that's why we have more than one app because there's two different purposes. Absolutely. Now, one of the wonderful smart people in our chat said there is, Marco says there is an option to prompt to put the YubiKey in in the PAM module. So that has been, again, really probably a non-default config but can be configured to prompt it. So let's do some testing with that. So make a note of that Jay when you make your new video to that module to note, because that's definitely worth enabling so you know why you failed if you're using it in the sudo system. Right. And yeah, I kind of assumed, you know as I was talking like, you know I bet there's probably a way to prompt a message because pretty much everything in Linux there's a way to prompt for something, you know just send something to standard out while you're doing something. So even if there wasn't an official way to do it I'm sure there's a way to do it but that's yeah, the video does need to be remade. It's a little rough around the edges. It works, everything's fine but I could do better and I will and that might be one of those things. And worth mentioning too because of the programmableness of the YubiKey you have slot one and slot two on those YubiKey five keys we mentioned you can program slot two to be a static password. Now you could decide what that static password is. Now obviously this is easily if someone took the YubiKey they would have that static password with a long press which it gives you slot two it would dump that information out but where you could find some usefulness in this you could have a password U type and then you can have a longer string that's part of the YubiKey. Now you combine two pieces of things still kind of a second factor and it's gonna be useful if you have things that you can't actually go through and integrate fully with YubiKey but you wanna have a stronger password for something and you wanna have it on a module because it's something that you know you can't just use and password fill with a password manager as easily you could have that slot two be that so even let's say you wanna use your Lux system on boot but you wanna have a password so you type the first part of the password that you know and then the next 20 random characters come out of the YubiKey consistently the same random characters just random as in when you programmed them it's kind of another work around it's not gonna be the absolute most secure but it's a move forward insecurity is how I look at it's not the it's better if you did the whole Lux integration for those you might be looking for something simple and I've seen someone mention it using it like essentially like a password salt it's gonna be a static one but it's a way you can have it so you can have a consistent way to authenticate something and do it so just more use cases and stuff fun stuff to play around with with the YubiKey Yeah, I think that's something that you'll find after you get used to the YubiKey there's other uses for it other ways or clever ways people have found to you know implement it and do something like as you were talking I'm like could I just like type in a Linux command in that slot and then just long press cause it's like I forget sudo all the time so maybe I could just have the long press be sudo exclamation mark exclamation mark so every time I forget to type sudo I just press the button and then I'll just repeat the it was sudo in front of it that's not even a password or anything private it's just you know maybe I could just set a convenience or something I'll just press a button and now H top comes up or something there's all kinds of you know crazy things you could probably do with it if you put your mind to it and many people have I think GitHub probably has a bunch of stuff on there if I remember correctly Yeah, yeah there's I'm sure there's a lot of use cases we have not covered in but that's the flexibility of these they're pretty cool it's great for secure authentication matter of fact we like some of the enterprise software that we're using some of the stuff we switched to I really like the UBK authentication cause every time you have to do a privilege command in it they actually just have you touch your UBK if it's opposed to entering your TOTP each time which because they have a high level of security for mass actions it makes you think a little bit more but it also adds a little bit of convenience of cool I don't have to go get my TOTP code each time I can just touch my UBK and let me have this privilege escalation for this particular thing I need to get done so I'm hoping to see more integrations with it it's a great system it works great in Bitwarden I'll mention too in Bitwarden it's not your only authentication it can be an addition two so you can still have your backup either your backup codes or your backup TOTP and the UBK is an additional level of authentication so you don't necessarily in that circumstance have to have two UBKs cause you have another method to get in if you were to lose it Yeah, that's what I use actually I have UBK mapped to Bitwarden and then I have I think it's like offy as a second I can't remember so basically when I try to access Bitwarden it says press the button on your UBK if I don't have it plugged in then I just say well I don't have it with me then it takes me to another screen where I can put in a TOTP code from another app and then I get in that way so if you had everything if you just wanted to lock your password manager down I mean that alone could just be a use case for this Yeah, so this was by the way we should have got this sponsored by UBK it was not but this is what I was excited You know I actually reached out to them because I like them so much you know the way I look at it if I like a company maybe they'll want to sponsor but I literally sent them a couple of emails cause I bought when I bought the UBKs they looked at my email address you know the company domain name and like oh yeah you're that guy like yeah do you want to sponsor videos sometime I love your company they've never responded it's been months so I guess they just don't do that yeah I don't know how often they do any type of sponsored stuff on there they're such a well-known brand it's not like we're trying to promote them as a specific brand as much as they are such a well-known brand they're so well they're just there omnipotence in the market they're pretty much I can't think I don't think they really have cause Google they have something similar for their own security Google has those special security things they were doing but I can't really think of who a direct competitor is to the UBKs platform gonna be the Titan keys from Google I think but the Titan keys were for Google specifically and not necessarily for everybody else for example when you look at authentication methods supported by LastPass Premium or Bitward and Premium you don't see Titan in there you see UBK I thought they were universal or maybe they are now I don't know but I thought they did make something that was competing but either way yeah I mean there are other things out there I think I've seen some off-brand ones that kind of scare me but they're cheap right and the way I look at it it's not that if you buy the cheapest key that you can get it's not that big of an investment and yeah we love it but to be completely fair if UBK had like a massive security breach tomorrow and did something really stupid in the security that came out we would drop them like so quick like we would just go on the next episode be like yeah about the UBK thing you guys need to stop using that we'll just totally throw that out there but so far knock on wood we haven't had any big problem and UBK or UBCO has actually been a big and a good steward of security so so far I trust them but you know to be fair my trust is never 100% in IT because you know everything does things change companies get bought? like we're talking at the beginning of the podcast just like just minding your own business oh wait what? yeah what's next Ubuntu getting bought out by Microsoft you never know right? I didn't mean to we're waiting on that one still we've been predicting that one for years we just can't believe it hasn't happened no they'll probably buy SUSE anyway that's a different topic somebody will buy something they're too busy buying Microsoft is too busy buying video game companies right now so they don't care yeah they're trying to buy you know they're not in they don't have the push they had in the school market they used to so now they just buy the game companies and go hey you liked us remember we're the Minecraft people come on kids buy Microsoft stuff later because we're the Minecraft people remember Minecraft you like that right kids? yeah yeah you want our system mom yeah you liked our software come taste this Microsoft Office 365 that we keep raising subscription prices on oh boy I mean Microsoft sound maybe a little bit creepy wait they are a little creepy you know we could probably have a whole episode about that I won't get a crash on Microsoft I'll stop they do some good things too they do some good things there's actually been a lot of good I've been there I've interviewed people like Jeffrey Snowber if you check around you'll find some interesting topics I've had he's the guy that came up with a little thing called PowerShell maybe you heard of it there's some definitely really good people on there at Microsoft I will dog on them as some of their past and they're still a large corporate company that occasionally makes bad decisions but there are some really good and really talented smart people that care about the greater ecosystem of things actually care about open source too so I will completely say that I just like making jokes about them and their corporate overlord buying everything because you're right they're buying all the game companies well speaking of yeah like insanity and things like someone I have to bring this up in the chat room it was just so funny I don't know if this would work in practice but Winston mentioned security through insanity where you have like a bunch of UVA keys you have to press them in a certain order to get into your I'm pretty sure though that when you press the UVA key button that the enter key is programmed to like press enter so I don't know if that would work but that'd be hilarious where you have like four UVA keys you have to have a certain pattern but then again like are you gonna plug them in the same order every time mom that's just funny you know security what if we did this as an escalation this could be a fun video day because they press center you actually set the system to prompt for a series of UVA keys so any elevated privilege action that was gonna be very needs a high level of authentication let's just say you would have the first person put the UVA key in second person and a third person or three UVA keys in some pattern that actually could be done that way you need two people's authorization or three people's authorization to actually get an action done this could be fun another thing we could probably do this in the SSH modules where you just loop it to require more than once in the PAM module maybe there's a way to tell it to ask for each key because then when you're setting up a season yeah all right you guys got us way off topic I think one last thing I'll mention to go further off topic because why not right what if you want to reboot a server and you have three system admins each one has a UVA key and each person that are they're remote they each have to press the button in order to reboot the server so it's kind of like how the nuclear reactor is like oh yeah I have to have like this key and this key and this key to reboot a server you have three admins three UVA keys and each one has to press their button to facilitate the reboot so no one person is to blame for a reboot that shouldn't have happened absolutely that's one of the crazy things you could do with this stuff yeah I do like someone said use the Shamir secret splitting schema where you can have we always need a quorum of at least three out of the four people with the secret together so yeah that could be fun there's so many different ideas just add RM dash RF slash because someone mentioned something similar in the chat have that be the thing and they just throw it out in the middle of a you know parking lot see if anyone's stupid enough and if they're running Linux they or Mac they plug it in and press the button they wipe out everything yep you shouldn't have used it you shouldn't have done that don't ever do that again put something in your computer that you found on the street absolutely all right don't do any of those things I'm just in a oppositional mood I guess yeah it seems like fun though come on it kind of does right yeah I actually have a bad USB here that we play with at the shop I haven't tried it yet I'm going to see if the new guy will put it in his computer so that's always the fun thing is hand it to the new guy so it just goes over to my friend Xavier's site that says you have been hacked by Xavier and it launches a browser and Windows and opens up his site we're not a rickroll I mean that'd be the best yeah what it brings you right to is how to buy security from him and auditing from his so but a rickroll that is so brilliant that's the best way to sell your services right there yes yes so all right well thank you very much I will have Jay's video where he talks about how to get this set up Jay is coming out with a new video that will be out but you can be watching it sometime in future net videos out and that will also be in the show notes if it exists yet but either way check Jay's channel he's got lots of great stuff over there regarding this and awesome thank you all for joining us and we'll see you next week thank you