The offer is open to any Cloudflare customer. Cloudflare customers can claim this offer for Yubico Security Keys directly in the Cloudflare dashboard.
Yubico will ship the keys to customers directly. The specific security keys and prices for this offer are: Yubico Security Key NFC at $10 USD and the Yubico Security Key C NFC at $11.60 USD. Customers can purchase up to 10 keys.
I would recommend buying two keys, one for day to day use, one as a backup.
It says Yubico will contact about the offer on email ??
So you cannot get it directly, and BTW do make sure these keys are legit before using them for security purposes first
I find it hard to believe that such a reputable company as CloudFlare would partner with yubico and sell fake keys.
Unless they can intercept, duplicate and replace the package.
That seems near impossible.
Not impossible, but you’d only do it for targeted individuals. The complexity of planning and executing a supply chain attack on a product like this makes it pretty expensive and increases the risk of discovery.
It doesn't hurt to extra sure, already seen consequences of that with optus. So better safe than sorry. Afterall who knows may be your were gonna use it to unlock a password manager, hence a gateway to all of your passwords.
They are second factor authentication so there should always still be the password level security.
Anyone rigging them up to be a simple "tap to unlock" method is really doing things wrong and is their own security risk.
You can verify that the key is genuine via the yubico website.
@USER DC Get your tinfoil hat on..
No way Cloudflare is offering fake keys.
Anybody got their email yet?
Not yet, still waiting.
done days ago but no email yet!
Got the email.
Not yet. Signed up a couple of hours ago to cloudflare…
Found this (though I'm sure you could find a review to recommend any brand):
https://www.zdnet.com/article/best-security-key/
I'm thinking to get the Yubikey 5Ci as my primary one, with the basic Security Key NFC and a Security Key C NFC as backup, or to use with older computers that only have USBA.
FWIW they do work with USB A to C adapters.
Yeah, i have a USB A NFC one as a backup and a USB C NFC one for primary. Works well. Just have to remember to register both and copy any new totp seeds to both
Can 2 persons use one key for multiple accounts ?
Yes in most cases.
The accounts still do a password login and then you need the key authentication.
If course most sites/banks/gov don't even support keys. Support is mostly in the IT industry.
Thank you! Within 1-3 business days, Yubico will send an email to the address associated with your Cloudflare account. Until then, navigate to the Zero Trust dashboard to start setting up secure application access. If you're not already a customer, you can sign up to our free Cloudflare Zero Trust plan for up to 50 users.
So everyone is just claiming not made real purchase yet?
Seems like this.
So i signed up within days of this offer, then enabled zero trust thingo. and i clicked claim offer. But have not got the email.
What do i have to setup to enable that email ie you mentioned start setting up secure application access, excuse the noobness how and is that when the claim triggers your email to yubi key?
I don’t see any benefits using this hardware key compared to Authenticator apps. The only advantage feature is to use it when your phone is out of battery. On another side, Authenticator app is more flexible, you don’t have to bring it with you all the time because you already have your phone.
Except if someone has acquired the TOTP token then they can work out what the codes will be. This is more secure, and that’s the benefit you’re missing.
How can they get the TOTP key on my iPhone with Face ID protected :-)
Man in the middle attacks as a possibility. Also if the client is backing up TOTP codes (as Authy does) and your account is compromised.
It would be great to see a single Australian bank support hardware 2FA tokens.
@kipps: Social engineer can happen with hardware key as well. Specially if you use something like Duo Mobile, phishing is not possible. So, hardware key has some benefits but it’s not significant.
I’d prefer banks to support Duo rather than hardware key. More gadgets make my pocket heavier and easy to lose stuffs.
Don't know what does this means but thats a very valid question.
Wear mask that looks like you?
Ultra low risk for most people.
Yes, exactly. People, especially security people are terrible at assessing risk.
Reminds me of the old/current constantly changing complex passwords. Sure they are in theory more secure, in reality people write them down, making them quite insecure.
Physical keys are phish resistant. Your browser won't let you try to log into your facebook.com account on totally-legit-facebook.com with your security key for example, but you can be tricked into typing your Facebook 6 digit code into any old website.
Favourite benefit of my YubiKeys over other methods is you just tap it. No typing in a code (which is getting really tedious as that form of 2FA proliferates) or waiting for a push notification to come through.
I just signed up to Cloudflare and there was a link to claim the offer on top of the dashboard page.
I clicked it and I got below message;
Thank you! Within 1-3 business days, Yubico will send an email to the address associated with your Cloudflare account. Until then, navigate to the Zero Trust dashboard to start setting up secure application access. If you're not already a customer, you can sign up to our free Cloudflare Zero Trust plan for up to 50 users.
So, should I wait for that mail from Yubico to get this deal ? or is there any other way to order now ?
Delivery included or no?
No
Can I install it inside my laptop chasses near NFC ? My brain is always looking for shortcuts.
Does your laptop have NFC? Most don't. I'd love a USB NFC reader for my desk that would allow me to tap for auth
Why not install under out finger skin?
& what do you plan to authenticate with that finger ? 😂
@Motordom How do you sync both keys (day to day and backup) ? When setting up an account, just scan both ?
just scan both ?
Yep. Treat them as 2 separate keys.
You can't sync as that would defeat the purpose of them.
A lot of good services will allow you to add multiple devices, but you may find that some will not allow you to install a backup. It's on a site by site basis.
This is what I do @ChipsChicky - set up four different accounts - one LastPass, and three Yubikeys. I scan the QR code with each key separately (and confirm each is displaying the same rolling code) before confirming in the app I'm setting up MFA (which is using TOTP) for.
Those that support FIDO or Yubikeys (like Google, Lastpass, Github) typically support multiple keys anyway.
Not all accounts go on all three keys (one is an off-site backup so only gets key accounts).
One sits on my keyring and is with me at all times.
One sits at home in a handy but not easily visible location, connected to my PC via a USB extension. The key is secured with a screw through the keyring hole. I can hit the button if needed, but it's not obvious.
If my PC is stolen, the extension USB that the key is plugged into will be left behind and so the key will be left behind.
LastPass is for convenience, though I should probably just stick with the Yubikey I carry and use the NFC reader on my phone, but I haven't been able to give up the convenience of LastPass Authenticator, yet.
I'm not paranoid, much.
Those that support FIDO or Yubikeys (like Google, Lastpass, Github) typically support multiple keys anyway.
What about Microsoft?
Can confirm Microsoft also supports multiple hardware security keys.
However, last time I checked Microsoft accounts could not use the built-in security key on your phone. I have a Pixel phone and a lot of other platforms like Google, Facebook, Github recognize the Titan chip in my phone as a hardware security key. If you're using a PC then it connects to the phone via Bluetooth for authentication.
Microsoft doesn't seem to support this however.
Don't understand why banks don't offer yubi key for authorising transactions and logging in
Some do for certain business / treasury accounts, but agree for consumer accounts.
Don't understand why massive banks like Westpac have a six digit password in this day and age. That's right, no more than six characters.
Ans how about ing…
Minimal 4 digits numbers…
And 1 upper case one symbol it's a joke.
Password best practice doesn't exist in the banking world.
Makes you realise the average user must be insanely stupid.
Every time banks have increased security measures they've had to overturn them due to user complaints.
@Telios: I don't expect the bank to enforce long passwords (because of said users who find it all too hard), but I at least want the bank to give me the option of having strong authentication.
I believe they've claimed that with the browser fingerprinting, geo locations, time of day and whatever other behaviours they can measure then they factor that into a successful login attempt.
I expect they'll be having to show that in court soon enough
@hotphil: CBA has locked me out a couple of times because I forgot to disconnect my VPN… but ING etc don’t.
Don't understand why massive banks like Westpac have a six digit password in this day and age. That's right, no more than six characters.
Because…mainframe. That is the simple answer.
Cant upgrade mainframe? Or too expensive to upgrade? Well untill there is a breach then bosses start pointing fingers say what did i say, we should spend even the cost is high
@CyberMurning: Price isn't the issue, its the complexity of the migration. You only need to look at Suncorp Bank's attempts over the past few years to modernise its banking platform, moving from Hogan on IBM z/OS to Oracle Banking Platform. In summary, they've written off $100m and ended up staying on Hogan…source: https://www.itnews.com.au/news/hogan-to-endure-at-suncorp-af…. I think every bank in Australia saw that project go up in flames and thought: "Yeah…no we're good. /patsthemainframe"
This simply isn’t true. User authentication at the web level can be managed independently of the mainframe backend.
Because bank "hacks" are overwhelmingly caused by social engineering - the customer grants the scammer access, or is misled into transferring out their own money.
Yeah the crappy MFA/password requirements are really rubbish - but they aren't the usual vector for bank fraud.
An additional layer of security that has been tried and tested will always be good to have for those who want to use it. A yubikey is cheaper than many potential hassles customers go through.
Well, It’s probably NOT cheaper for a bank.
Missing keys = calls to phone service = increased cost of operator. Meanwhile people rarely forget a 4 digit pin.
I do wish banks would increase the security, but I’m sure they’ve done their own risk assessment.
Don't understand why banks don't offer yubi key for authorising transactions and logging in
The primary reasons are cost…cost…and did I mention cost? Implementing support for and sourcing FIDO2 compliant devices could mean a significant investment, which needs to be justified and is going to eat into shareholder returns (dividends, etc.). Products like Yubikey are significantly more expensive than their software TOTP, SMS OTP, or push based solutions. And that is just for the authenticator itself before you get into the implementation project, ongoing overheads, support, training, etc. Most finance organisations have already heavily invested in using products like Oracle, Forgerock, RSA, etc. to deliver all of this, and have often already developed their own applications for these and they already meet regulatory requirements (think ANZ Shield, Suncorp Secured, etc.). Beyond that, banks (in spite of what they say publicly) move like glaciers…
It’s not a whole lot harder to implement FIDO2 than TOTP, both are relatively easy and customers would have to pay for the hardware if they wanted it. But yes, relatively few customers want it and fewer still would choose a bank over it so it’s unlikely to come to banks until it’s more widely supported outside the tech industry, because of that and of course that glacial pace. FIDO2 is more likely to work its way in via the fact that Apple/Microsoft/Google etc support it natively via biometrics etc than because everyone starts carrying Yubikey’s.
Great deal. Recent bought 4 for about $80/ea on Amazon.
Same but bought 19
Decent Alternatives, shipping is a bit slow but prices are decently less than Yubikey and they work in the same way without any issues i have seen.
Yubikey shipping was really slow when I got mine, took weeks and weeks.
what's this product and how's it work?
Its a key to a yubi
do what
Unlocks the yubi
You stick it in
what do
has anyone got the email yet?
No it’s a scam
How is it a scam?
I just got my email today.
same
Thanks OP, very cool deal. Hope to get the offer in 1-3 days
How come is this a deal as no one yet been able to order a single Yubico Security Key ?
Right as I was about to order USB C keys to replace my A/NFCs. Thanks OP!
Why do people keep banging on about social engineering? Lol
Only applies to cretins and boomers - the exact group who also wouldn’t Know these products even exist
where are the keys ?
waiting for door to be built
Anyone get the email?
Not yet. Came to ask the same question.
not yet
Keeps tells me I've claimed the "offer" but nothing has come through after 3 days shrugs
Same here
I think it's 3 business days and we all claimed on the weekend
they changed the terms….
Cloudflare has partnered with Yubico to offer hardware authentication security keys at a promotional price to eligible Cloudflare customers. Select "Claim my offer" and Yubico will email the offer to the email address associated with your account if you are eligible.
Eligible customers must have an active zone or actively use Cloudflare Zero Trust.
You may not claim this offer multiple times from the same email and this offer may be restricted to one email per account. Cloudflare may modify, limit, or discontinue this promotion at any time. Offer is subject to Yubico's terms.
@davidl2: it was this (my browser still has the old terms)
Yubico has partnered with Cloudflare to offer its hardware authentication security keys — at prices as low as $10 per key — to Cloudflare customers. Click "Claim my offer" and Yubico will email the offer to the email address associated with your account.
Learn more about how Cloudflare Zero Trust makes it easy to activate and authenticate using your hardware security keys with any identity provider for more secure access to any self-hosted or SaaS application.
@davidl2: How do i "Eligible customers must have an active zone or actively use Cloudflare Zero Trust."
I again mentioned made an account, and the offer was open to click. I enabled zero trust. But i have no set up anything to use in zero trust. So how do activate a zone or actively use it.
Asking as i click claim offer and enabled zero trust but haven't got the email. And guessing this must be because i am not actively using it or maybe its not actively used even thought enabled ??
All help welcome.
got the email today and bought 2.
my voice is my passport
in australia, my voice identifies me
No more secrets, turtles.
@gadget: No email from cloudflare or yubikey at all. But the offer page on cloudflare account says 'offer claimed'. I am on free tier basic account on cloud flare.