The offer is open to any Cloudflare customer. Cloudflare customers can claim this offer for Yubico Security Keys directly in the Cloudflare dashboard.
Yubico will ship the keys to customers directly. The specific security keys and prices for this offer are: Yubico Security Key NFC at $10 USD and the Yubico Security Key C NFC at $11.60 USD. Customers can purchase up to 10 keys.
I would recommend buying two keys, one for day to day use, one as a backup.
Some people use both a key and 2FA App (some services will let you choose which one to use to verify a login). A hardware key can be better instead of reaching for a phone or when it's out of battery/lost.
Keep in mind not all services will support a hardware key.
2FA (2 Factor Authentication) adds an extra layer of security to your account. With all the database hacks and leaks these days, there's a possibility someone else may know your username and password. By enabling 2FA, they would need to know your username, password and the current 2FA code.
most people nowadays carry their phone wherever they go and it is usually very close by to them
with these keys you need to find somewhere to put it, to carry it with you.
People also can recharge their phones anywhere with usb port or they can carry extra battery charger.
If people are using banking app or social media app on their phone or whatever that needs the 2FA, it is also on the same phone they are using.
With these keys you need access to usb port to use it, so you might not always have access to one which means the keys are useless.
If you lose the key, you it is hard to know where it is.
A phone can be found with the "find my device" etc..
Phone also has security to unlock to authenticate you before you can use the 2FA app etc.
These keys, anyone can just use, if they can get it off you.
Phone 2FA is free since most people have phones nowadays,
so no need to buy some keys to do same thing.
Therefore phone 2FA is better for those reasons.
Note: phone does have some weakness
I think main one is if they get your phone number somehow (porting)
or they can get access to your phone (and can unlock it) though that is like losing the key anyway.
so can discount this negative.
"with these keys you need to find somewhere to put it, to carry it with you".
it has key ring you can put together with your other real keys, unless you dont bring keys ? :)
"With these keys you need access to usb port to use"
if you do banking on phone, this key has NFC so just tap … if on the laptop/pc, dont worry as long there is usb port this key will work the pc see them as keyboard.
"These keys, anyone can just use, if they can get it off you."
but they need to know your user and pass as well….
it has key ring you can put together with your other real keys, unless you dont bring keys ? :)
of course we bring keys with us
but there are people who like to carry only the most essential keys.
This adds another piece of item/bulk in our pocket that we don't need
there also people with electronic locks who has no need physical keys.
Then there is the need to detach/attach this device each time to plug into the USB port.
Another hassle.
Or are you going to plug this in the USB with your keys attached?
if you do banking on phone, this key has NFC so just tap … if on the laptop/pc, dont worry as long there is usb port this key will work the pc see them as keyboard.
Again.. another hassle.
Use your phone, the 2FA is on the phone as well so no need to take out your keys or find where you put your keys…
People misplaced their keys all the time.. then you are stuffed.
With the phone, you can find it with "find my device"
You can also remotely lock it to prevent access.
but they need to know your user and pass as well….
well of course.. you are stating the obvious there..
the point was to use the 2FA app on the phone, there is a layer of security authentication before you can use it (ie biometrics or whatever you setup to unlock your phone).
Then inside the 2FA app, you can setup another security authentication (with biometrics or pin etc)
There is no layer of security authentication with this key to prevent someone using it if they have knowledge of your username and password
The purpose of 2FA is exactly that. Someone can't change your password or log in to your accounts without having direct access to (usually) your phone number, so unless your phone gets stolen or they clone your sim card, there's no way to access it.
Think of it as a digital deadbolt. If someone manages to unlock your front door, they still can't open it unless they can also somehow manage to unlock the deadbolt.
These security keys are even better than that - you need to physically be present to activate it. I don't know of any instances where these keys have been cloned remotely (secret key material has been extracted from Google's Titan security key/chip - that requires physical presence). They are essentially phish-proof too - someone cannot ask for your 6-digit security code just sent to you and log in before you can.
For regular people with regular lives, having a security key to login in to you facebook account or you bank account is
… is absolutely normal, and should be the minimal level of security for any service that contains financial or personal information if you're not using an authenticator app instead.
Regular people with regular lives are targeted every minute of every day.
Hardware keys protect against phone porting scams (https://www.nab.com.au/about-us/security/online-safety-tips/…)
Note that (almost?) no Australian banks support either hardware keys or TOTP based 2FA like Google Authenticator.
These hardware keys support TOTP based 2FA (like Google Authenticator) as well as U2F (https://en.wikipedia.org/wiki/Universal_2nd_Factor).
Using a 3rd party system or storage like aws is regulated or something. Someone that works for the bank told me years ago but wasn't paying too much attention.
Does Nab, Commbank etc supports this yubikey but not Authenticator Apps ?
I've yet to see a bank that supports anything more than SMS 2FA, which is pathetic.
@schquid: Bank of Queensland, even though they were stuck in the dark ages for so long, support both an app based 2FA or physical token on their old banking platform. It's not the standard TOTP though so you need their proprietary app, and you can't set it up online.
@auscompgeek: I think BOQS used the Symantec VIP access. Convertable to the normal one using this https://github.com/dlenski/python-vipaccess
@schquid: Macquarie and ANZ offer their own authenticator apps in lieu of SMS 2FA. It's definitely getting better.
@kipps: I think Macquarie is very easy to recover with SMS 2FA though. It's only as strong as its weakest link.
@Tnetennba: I can't find an SMS fallback… unless I call.
Try logging in, click you can't use the push notification, then your options are
Verification method
Select one of the options below to verify another way.
- Push notification
- Rolling code
Both of course require the Macquarie Authenticator app. No SMS 2FA.
Macquarie say you have to call if you can't use the app - https://www.macquarie.com.au/help/personal/digital-banking/m…
If your Macquarie Authenticator app is completely unavailable (lost your phone?), for security reasons, give us a call on 133 174 (+61 2 8245 4470), 24/7.
@Tnetennba: Can you still signup to Authy? It goes through bloated Twilio crap and I couldn't find a signup option
@schquid: Bendigo bank do also. Had a physical device that they mailed to customers that started from 2004 or thereabouts.
Now they use an authenticator app by Symantec which I found frustrating to have to install yet another similar app…
Thank you though for "triggering me" to do a web search, i found this:
https://ccp.com.au/integrating-bendigo-banks-multi-factor-au…
and will check it out later when I am at home.
@AdModnar: As my reply above
You can convert it. https://github.com/dlenski/python-vipaccess
Edit. Seems like you had the same thing just with instructions haha.
@schquid: Commbank supports device 2FA (codes are delivered to the app) but you can ask for SMS codes at any time defeating the advantage.
Rabo provides an old-school security token.
Yet to see any banks supporting YubiKey-like devices for customers. Same for most other organisations (government sites, telcos, ISPs, etc.). The only Aussie company I'm able to use my YubiKeys with is Fastmail.
@Jabba the Hutt: You can use most YubiKeys with any company/service that supports authenticator apps by using Yubico Authenticator and enable the setting to require physical touch. But unlike native YubiKey codes which are unlimited, there's a limitation of a total of 32 codes/services via their authenticator app.
I opened a Rabobank account for their 4 month savings rate bonus and they sent me a key (not a yubikey).
But I can use the fingerprint scanner on their android app without the key.
Same password on multiple sites?
just dont use Email or SMS 2FA and you're good. Unless you're being targeted by the State, physical keys like Yubico are unbreakable security.
The words ‘unbreakable security’ basically invites people to pick apart whatever claim you’re trying to make.
Good point. I mean it from the perspective of the average internet user. Odds are you're not gonna be targeted by the worlds best hackers determined to clone your key.
@Valowick: Exactly - if someone is willing to target your physical yubikey, then you’re probably a very interesting person, with interesting friends with creative (and physical) means to get what they want.
True. But while it may not be 'unbreakable security' there have been 0 account takeovers since Yubico inception in 2007 (including people who are 'being targeted by the state'). Perhaps it is 'security yet to be broken'.
@sav11: The point is, that it’s just a piece of technology that needs to be designed and managed appropriately to be considered ‘secure’.
For 99% of users, it would be considered appropriate.
You should use 2FA anyway. Even is it’s just SMS or email as a start, then you’re much better protected than just username and password.
2FA is good, and if you are security conscious, then it would likely stop anyone by itself.
Yubikey takes it to another level though, because it eliminates the risk of social engineering. People can be tricked into giving two factor codes.
But they can’t be tricked into giving a number that allows remote access somewhere else if they have a yubikey, because it needs physically authenticate a device.
So I’m not sure who needs it more - someone who already has tight firewall rules, good security practices etc…. Or someone like my mother.
2FA is, someone uses your name/addy/bday to port your phone # out. Then they press 'forgot passwd' on your accounts, it send them an sms, they get your acct.
You get absolutely nothing because you don't have the phone anymore. Eventually you notice. And you try to call your accounts dep saying your account is compromised. They send you an sms. You explain to them AGAIN your phone # was ported out. They don't know what to do because it's not in their script.
Yeah, so that's 2FA with phone. It's stupid. I couldn't access ANY of my bank acct, my cards were blocked, I had no money for 2 weeks had to borrow money to buy groceries.
With other keys etc I'm not sure.
They also need access to your phone to port out bc an sms is sent to verify it's you porting out. So it's not that easy. Still I agree with you 2FA via SMS is long past its use by date.
yeah, I hope it's better now, but sms 2fa is moving from a pw you can change anytime, to a single device that once stolen the real user cannot easily restore.
It's really stupid.
@furyou: You still need the password.
The SMS 2FA is in addition to the account password, it doesn't replace it 👍
(Yeah, providers that will reset your password with a simple SMS are totally dumb - you at least need to send a codes to the email address and via the SMS to ensure the password reset still needs access to two factors).
There are ways to do it without access to your phone - else they wouldn't be able to replace sim cards for lost or stolen phones, lost or broken sim cards etc. Also at least until the end of last year Telstra Business customers were able to transfer a number to a new SIM online (or via a telstra partner) without any notification being sent to the existing number/user - so the systems at Telstra at least will allow this to happen - and if the systems allow it then a person could be socially engineered into doing it. I only don't know past Dec 2021 because I changed jobs and no longer have access to a telstra business account.
else they wouldn't be able to replace sim cards for lost or stolen phones, lost or broken sim cards etc
That's not porting out
Business customers were able to transfer a number to a new SIM online
The business owns the number, not the individual using it so the ID of the individual means nothing because the number does not belong to them
But again you are talking about a sim swap not a port
@spaceflight: I didn't even notice they were talking porting, because sim swapping is the more likely method used by an attacker as it requires the least effort, and lower chance of being stopped. As I said in my post as well, my point about businesses being able to sim swap without an SMS was more about the fact the tools exist, and thus someone could socially engineer someone at a telco to do the sim swap without an sms.
Porting to a different service provider might send you an sms
Replacing the sim on the same provider cos the attacker claimed "you lost it" won't trigger anything
@Tigerhacker: As I read it Optus (at least) now require you to go into a store to request replacing a lost/stolen sim. I can only assume that if you're with a reseller with no physical presence this could make an attack easier.
@Tigerhacker: Not for the casual hacker, without getting a fake license made. Unless optus do a DVS verification on the spot it will be more than the 10k affected ppl!
It's possible to intercept SMS without physical access to the phone.
That is not possible with YubiKeys.
When I ported from Telstra to Aussie - I received text messages to tell me that it’s happening, and if it wasn’t me to contact them immediately. However the SMS didn’t require any action on my behalf - the process just happened all within 1-2 hours.
Adding another reason to keep some hard cash in ready access. People have gotten so used to the digital convenience that they have forgotten how alienated they get when someone hijacks or you cannot access your regular digital services. I always promote data protection and backup and similarly always promote keeping in touch with the old low tech world just to not get lost if some bigtech decides to ban me from everywhere.
One of the big benefits of FIDO/WebAuthn keys is that they are more resistant to phishing attacks.
Lets say someone creates a website that looks just like one you regularly use, and you fall for it. As well as asking for your username and password, it can ask you for the 2FA code from your phone. It can then use those credentials to log into the real website to get an active session as you.
With these devices, the website origin is passed to the device and used in producing the response. So the look-alike website won't be able to get the device to generate the same code it would for the real website.
The devices can also be more convenient: rather than copying a code from your phone screen into the browser, the device can transmit the code directly to your computer (usually after pressing a button to confirm you want to use it).
Physical keys are more secure (a note that this offer is the cheap security key which lacks the higher features of their better keys) than app based.
However they are more hassle to live with since it's another trinket to carry, they can't backup so painful to lose.
You should should at a minimum be running a TOTP app like Authy and use that rather than SMS whenever offered. If SMS is the only option then do use that.
Depending on what you mean by backup then it's actually easy to backup yhe totp seeds - just save them at time of generation, you can then chuck them on multiple keys for use with yubico authenticator app or save them in say Bitwarden which has builtin totp generator (and can be secured properly with yubikeys)
Up to you, but realistically you can’t go physical only because it’s no where near as widely adopted as an MFA app.
Personally, while physical keys are more secure, the idea of having to carry the key around constantly puts me right off them. Security is often a trade off between convenience and security, and for me an MFA app is a much more livable compromise given I go between multiple devices, RDP to PCs in other areas of the house etc.
I do have a Yubikey and keep a nano one attached to my primary laptop for now, but anywhere I have a Yubikey registered I also use an MFA app for the simple case that I try not to carry a lot around with me and aim to minimise my keychain and wallet, so relying on a physical Yubikey doesn’t fit with how I want to be able to access things. I always have my phone on me but not my keyring.
Someone noted Yubikey can store MFA codes. While true, my MFA app has 148 codes managed in it today and I believe the max any Yubikey can support is 32 codes. Suspect many people would find that 32 isn’t enough for them which limits that use case.
Good devices, but I think it has to fit with how you use your PC and what you’re happy to carry about. If you don’t use one, enable another form of MFA where ever you can.
By 148 codes you mean one time codes or 2FA login codes (that changes every time) ?
148 one time password registrations. Believe my password manager has about 650 to 700 or so credentials stored in it.
On the high end for sure, but 32 TOTP codes in a Yubikey is something I’d have passed long ago given I enable MFA whenever possible. Also that (TOTP via Yubikey) needs an app anyway so it’s not so convenient, I don’t think. If I was to use Yubikey for TOTP it’d be to secure another app that then holds the rest of my codes.
@Smigit: This is why I don’t think the cheap ones are any worse than the 5 series. You can secure things like 1Password with the security key series, and use it for sites that work with TOTP, and use the key itself for anything that supports Fido2, which is hopefully an increasing number of sites.
my MFA app has 148 codes
I don't think I have that many accounts with a username and password!
Haha yeah, I think it’s a bit non typical. I do turn MFA on where possible and my password manager 1Password is pretty good at notifying which logins have MFA available so it’s pretty easy to chase it up or go back to old accounts when the sites are updated.
@ChipsChicky: 1Password costs money. They sometimes have 6 month or so introductory offers.
For a free password manager, Bitwardens a very solid choice.
@Smigit: Note that you need a premium Bitwarden account for it to work with Yubikey. Currently US$10 per year
Yes plenty of recent security breaches have "by-passed" 2FA\MFA, hardware tokens ect.., but still best to ensure MFA is configured, it does mitigate many types of security breaches.
As to which is better, Google\Microsoft Authenticator are pretty secure (providing the device is secure) and you enable FaceID ect., to accept the notifications. The apps do a great job of warning you when someone is attempting access.
Technically the apps can be compromised by anyone with root access to your phone, but this is unlikely for individuals.
The Yubi solution is great for people that do not have a mobile phone or people that use multiple devices or high-risk targets. It's basically a lot harder (not impossible) for an attacker to extract the key data from the hardware key.
dont ever use google authenticator it doesnt have backup feature
Thanks OP, I have been thinking about buying some and this is just what I needed to push me to do it.
These are a great idea for your high risk accounts like email, which could then be used to reset passwords to a whole range of services like FB. You can also use it for securing password managers like 1Password or LastPass.
Note that 1Password only allows you to only register a single security key which is quite poor — what happens if you lose it?
Their answer is to also register for the good old & much weaker TOTP.
It kind of defeats the purpose of registering a security key at all.
you can print off some recovery codes and put them somewhere safe. With the right hack, the TOTP seed could be accessed remotely, but a piece of paper hidden somewhere even you won't find it will be safe from that. But yeah, AWS is the same - you can register only one security key. My last AWS account was in a corporation so they could reset the account if needed, but for personal stuff where there's no-one who can reset the account on your behalf, I very much want to enroll at least 2 security keys.
You can print a recovery code, and put it in a safe.
On a related note, you should consider how your digital estate will be handled through your will. Including instructions for your executor around how to access your Coinspit account for instance will make their life much easier.
Are you sure it’s 5 series? I think they’re might be an older version, older protocols?
From the blog post in description:
"Yubico is providing Security Keys at “Good for the Internet” pricing - as low as $10 per key. Yubico will ship the keys to customers directly. The specific security keys and prices for this offer are: Yubico Security Key NFC at $10 USD and the Yubico Security Key C NFC at $11.60 USD. Customers can purchase up to 10 keys. For larger organizations there is a second offer to purchase the YubiEnterprise Subscription for 50% off the first year of a 3+ year subscription. For the YubiEnterprise Subscription there are no limits on the number of security keys".
Which seems to be the blue ones and probably not 5 series.
You're right. 'The specific security keys and prices for this offer are: Yubico Security Key NFC at $10 USD and the Yubico Security Key C NFC at $11.60 USD.'
It's the cheaper blue ones. I don't know what features would be desirable, but for a start you need the connector that suits your devices. Compare features here:
Cheapo blue ones..
People posting the 5 series on twitter so maybe not
Iittle more expensive it would seem
https://twitter.com/leonardwongly/status/1575690769058304001…
4x 5C
4 = $220
Dis = $171.11
Total = $48.89/4 = $12.22 each
Also looks like we will need to pay for shipping too.
https://www.helpnetsecurity.com/2022/10/01/cloudflare-yubico…
looks like 5 series is only for enterprise customers
Let's hope the 5 series will be available. More than happy to pay US$12.22 each. Also no Lastpass on the blue ones.
update: looks like ppl on reddit have been able to order the 5c's
@gadget: @gadget
so people on reddit received some kind of email to enable them to order? after how many hours/days from claiming?
@CyberMurning: It was a post that showed an order (not the same as the twitter one) but can't really verify that. In any case we'll all find out in a couple of days what's available.
Got this email (and could order definitely the 5 series):
Congratulations! You are one step closer to activating phishing-resistant MFA with industry leading Yubico security keys at an exclusive 'good for the Internet' price.
Even better news! For a limited time, we're excited to surprise you with an upgrade to our multi-protocol YubiKey 5 Series!
You are now eligible to purchase up to 10 individual YubiKey 5 NFC or YubiKey 5C NFC (minimum 2) starting as low as $10 USD
Can you get a yubikey if you have the free cloudflare tier?
Looks like yes. The offer is in my dash.
thank you
Just signed up and had an offer to claim. Awaiting the email to come through.
Might look at other affordable options if it doesn't. Good time to up my security.
I claimed my offer around 1.5 - 2hrs ago and no email yet. Wondering how long it going to take🤔
Has anyone else received their email yet?
Think it said may take 1-3 business days for it to arrive in your mailbox after claiming your offer.
@drinkin-beer: i claimed my offer at 4am this morning and haven't received an email yet. might have to wait a few business days
Might look at other affordable options if it doesn't. Good time to up my security.
MS & Google make software authenticator apps. They're a good start for most people.
Aegis is an open source authenticator app.
Not necessarily better but a different approach.
@repeat: If you’re on iOS then I’d recommend OTP Auth
https://apps.apple.com/au/app/otp-auth/id659877384
Small one time IAP to unlock everything, but very solid option if you’re using iOS/Mac and can’t use Aegis.
I claimed on the same day, never received email to claim offer. Did you get to buy?
Did you get an email saying either you do or don't qualify for the offer?
Is it better to have Key instead of 2FA App like Google/Microsoft authenticator ?
What's the purpose of 2FA anyway, i woke up to a surprise that someone in Sydney has changed my fb password, luckily i was able to recover it. This just happened recently.