{"video_id":"NEDeL3Q4WvI","title":"Logging In With A USB Key (U2F Explained)","channel":"Techquickie","show":"Techquickie","published_at":"2019-05-06T14:58:16Z","duration_s":319,"segments":[{"start_s":0.0,"end_s":6.66,"text":"Thanks for watching tech wiki click the subscribe button then enable notifications with the bell icon so you won't miss any future videos","speaker":null,"is_sponsor":0},{"start_s":6.86,"end_s":13.8,"text":"Have you ever heard? Oh, well, sorry my account got hacked as an excuse for an incredibly inappropriate","speaker":null,"is_sponsor":0},{"start_s":14.02,"end_s":15.99,"text":"post on social media","speaker":null,"is_sponsor":0},{"start_s":15.99,"end_s":21.27,"text":"Well for me, it's kind of becoming the modern equivalent to the dog ate my homework","speaker":null,"is_sponsor":0},{"start_s":21.79,"end_s":26.07,"text":"Especially because so many major web services offer two-factor authentication","speaker":null,"is_sponsor":0},{"start_s":26.07,"end_s":33.23,"text":"to keep intruders out of your account a feature that asks for something else in addition to your password","speaker":null,"is_sponsor":0},{"start_s":33.57,"end_s":37.73,"text":"Typically one of those six-digit codes from an authenticator app on your phone","speaker":null,"is_sponsor":0},{"start_s":38.13,"end_s":40.67,"text":"So you can learn all about how those work up here","speaker":null,"is_sponsor":0},{"start_s":40.85,"end_s":46.53,"text":"But what if you're tired of punching in that string of numbers whenever you log in well","speaker":null,"is_sponsor":0},{"start_s":46.53,"end_s":53.95,"text":"Then you might be interested in a physical security key using the universal two-factor or u2f standard","speaker":null,"is_sponsor":0},{"start_s":54.11,"end_s":55.99,"text":"You see instead of a code that","speaker":null,"is_sponsor":0},{"start_s":55.99,"end_s":59.51,"text":"Changes every 30 seconds u2f relies on a small","speaker":null,"is_sponsor":0},{"start_s":60.05,"end_s":66.17,"text":"Physical chip on a little gadget that looks a bit like a USB flash drive that you can keep on your keychain","speaker":null,"is_sponsor":0},{"start_s":66.73,"end_s":69.05,"text":"Or in some kind of safe location","speaker":null,"is_sponsor":0},{"start_s":69.51,"end_s":75.77,"text":"Typically all you need to do to set one up is tell whichever service you're using that you have a u2f key then","speaker":null,"is_sponsor":0},{"start_s":76.29,"end_s":80.39,"text":"Inserted into a free USB port some of them even support NFC","speaker":null,"is_sponsor":0},{"start_s":80.39,"end_s":86.29,"text":"So you can use them with your Android smartphone and iOS users very recently got support for u2f","speaker":null,"is_sponsor":0},{"start_s":86.31,"end_s":91.37,"text":"Devices over NFC with the UB key neo if you're using an iPhone 7 or newer","speaker":null,"is_sponsor":0},{"start_s":91.55,"end_s":96.31,"text":"So after you insert or tap your key a number of things happen in the background","speaker":null,"is_sponsor":0},{"start_s":96.45,"end_s":101.95,"text":"The key will randomly generate a public and private key pair with the private key","speaker":null,"is_sponsor":0},{"start_s":102.09,"end_s":107.59,"text":"Never leaving the physical u2f key and the public key will get sent to a server","speaker":null,"is_sponsor":0},{"start_s":107.91,"end_s":114.43,"text":"Your key will also send the random number that it picked to generate these keys originally called a nonce as well as a checksum that serves to a server.","speaker":null,"is_sponsor":0},{"start_s":114.43,"end_s":115.43,"text":"As well as a checksum that serves to a server.","speaker":null,"is_sponsor":0},{"start_s":115.43,"end_s":115.93,"text":"As well as a checksum that serves to a server.","speaker":null,"is_sponsor":0},{"start_s":116.31,"end_s":119.03,"text":"To identify that specific physical key","speaker":null,"is_sponsor":0},{"start_s":119.53,"end_s":123.77,"text":"Then when it's time to come back later and log in you enter your username and password","speaker":null,"is_sponsor":0},{"start_s":124.15,"end_s":131.13,"text":"Like you normally would and the server will send you that same nonce and checksum back to your u2f key","speaker":null,"is_sponsor":0},{"start_s":131.27,"end_s":137.81,"text":"along with a different number your physical key will then use the nonce and checksum from the server to","speaker":null,"is_sponsor":0},{"start_s":138.31,"end_s":144.89,"text":"regenerate the private key and since each physical u2f key uses a different secret for key generation","speaker":null,"is_sponsor":0},{"start_s":144.89,"end_s":149.05,"text":"Only the original key you used to register will work","speaker":null,"is_sponsor":0},{"start_s":149.61,"end_s":156.31,"text":"Your u2f key then signs the number that was sent to it with the private key and the result is sent to the server","speaker":null,"is_sponsor":0},{"start_s":156.37,"end_s":162.55,"text":"Which then unlocks it with your public key from your u2f key to allow you to access it","speaker":null,"is_sponsor":0},{"start_s":162.55,"end_s":164.19,"text":"It sounds complicated","speaker":null,"is_sponsor":0},{"start_s":164.19,"end_s":171.85,"text":"But all of this happens without any intervention from the user other than simply plugging in a USB stick and the benefits are","speaker":null,"is_sponsor":0},{"start_s":172.51,"end_s":174.71,"text":"definitely worthwhile because it also","speaker":null,"is_sponsor":0},{"start_s":174.89,"end_s":176.89,"text":"protects against phishing attacks","speaker":null,"is_sponsor":0},{"start_s":177.39,"end_s":182.53,"text":"Numeric authentication codes are definitely way better than having no two-factor protection at all","speaker":null,"is_sponsor":0},{"start_s":182.71,"end_s":187.81,"text":"But they can still be stolen if you accidentally enter them on an imposter website","speaker":null,"is_sponsor":0},{"start_s":188.51,"end_s":194.23,"text":"u2f helps to stop this by using the original domain of the site as part of the","speaker":null,"is_sponsor":0},{"start_s":194.61,"end_s":198.45,"text":"Secret sauce it uses to generate the private key for that account","speaker":null,"is_sponsor":0},{"start_s":198.77,"end_s":204.69,"text":"So if you use your physical key to log in to an attackers website the response it will","speaker":null,"is_sponsor":0},{"start_s":204.89,"end_s":209.25,"text":"Send to that hostile server will be completely useless and the bad guys","speaker":null,"is_sponsor":0},{"start_s":209.51,"end_s":212.43,"text":"won't be able to use it to get into your account and","speaker":null,"is_sponsor":0},{"start_s":212.81,"end_s":219.21,"text":"The companies that make u2f keys have added their own additional security features on top of this base","speaker":null,"is_sponsor":0},{"start_s":219.53,"end_s":226.99,"text":"public key encryption strategy the ever popular YubiKey for example requires you to touch a sensor on the USB stick","speaker":null,"is_sponsor":0},{"start_s":227.57,"end_s":234.79,"text":"Before it authenticates ensuring that there's an actual human trying to gain access and not some kind of malware box","speaker":null,"is_sponsor":0},{"start_s":235.41,"end_s":239.57,"text":"With all of that said as great as this kind of physical security can be","speaker":null,"is_sponsor":0},{"start_s":239.85,"end_s":245.53,"text":"You still need to make sure you don't do anything dumb like drop your keychain in a shady part of town which","speaker":null,"is_sponsor":0},{"start_s":250.08,"end_s":254.94,"text":"Racing against the clock as a freelancer. Well, it's challenging but thanks to the growth of the internet","speaker":null,"is_sponsor":0},{"start_s":254.94,"end_s":260.94,"text":"There's never been more opportunities for the self-employed and to meet this need fresh books created their cloud accounting software","speaker":null,"is_sponsor":0},{"start_s":261.38,"end_s":268.3,"text":"Designed for the way you work fresh books is the simplest and easiest way to be more productive more organized and perhaps","speaker":null,"is_sponsor":0},{"start_s":268.32,"end_s":274.32,"text":"Most importantly get paid faster. You can create and send professional-looking invoices in less than 30 seconds","speaker":null,"is_sponsor":0},{"start_s":274.32,"end_s":278.26,"text":"You can set up online payments with just a couple of clicks and get paid up to four days faster","speaker":null,"is_sponsor":0},{"start_s":278.26,"end_s":282.36,"text":"You can see when your client has seen your invoice and put an end to the guessing games","speaker":null,"is_sponsor":0},{"start_s":282.36,"end_s":285.36,"text":"And they've got fully featured apps for both Android and iOS","speaker":null,"is_sponsor":0},{"start_s":286.12,"end_s":292.26,"text":"So you can take the fresh books experience with you on the go. They're offering a 30-day unrestricted free trial to our viewers","speaker":null,"is_sponsor":0},{"start_s":292.26,"end_s":298.02,"text":"So to claim it go to fresh books comm slash tech wiki and enter Techquickie in the how did you hear about us section?","speaker":null,"is_sponsor":0},{"start_s":298.32,"end_s":299.7,"text":"We'll have that linked below","speaker":null,"is_sponsor":0},{"start_s":299.7,"end_s":304.87,"text":"so thanks for watching guys dislike or like check out other channels leave a comment with video suggestions and","speaker":null,"is_sponsor":0},{"start_s":306.13,"end_s":309.57,"text":"What was he gonna say?","speaker":null,"is_sponsor":0},{"start_s":309.57,"end_s":314.83,"text":"You guys I know what I was gonna say not you. I meant the viewer was supposed to guess subscribe","speaker":null,"is_sponsor":0},{"start_s":314.83,"end_s":316.83,"text":"You know what forget it. I quit","speaker":null,"is_sponsor":0}],"full_text":"Thanks for watching tech wiki click the subscribe button then enable notifications with the bell icon so you won't miss any future videos Have you ever heard? Oh, well, sorry my account got hacked as an excuse for an incredibly inappropriate post on social media Well for me, it's kind of becoming the modern equivalent to the dog ate my homework Especially because so many major web services offer two-factor authentication to keep intruders out of your account a feature that asks for something else in addition to your password Typically one of those six-digit codes from an authenticator app on your phone So you can learn all about how those work up here But what if you're tired of punching in that string of numbers whenever you log in well Then you might be interested in a physical security key using the universal two-factor or u2f standard You see instead of a code that Changes every 30 seconds u2f relies on a small Physical chip on a little gadget that looks a bit like a USB flash drive that you can keep on your keychain Or in some kind of safe location Typically all you need to do to set one up is tell whichever service you're using that you have a u2f key then Inserted into a free USB port some of them even support NFC So you can use them with your Android smartphone and iOS users very recently got support for u2f Devices over NFC with the UB key neo if you're using an iPhone 7 or newer So after you insert or tap your key a number of things happen in the background The key will randomly generate a public and private key pair with the private key Never leaving the physical u2f key and the public key will get sent to a server Your key will also send the random number that it picked to generate these keys originally called a nonce as well as a checksum that serves to a server. As well as a checksum that serves to a server. As well as a checksum that serves to a server. To identify that specific physical key Then when it's time to come back later and log in you enter your username and password Like you normally would and the server will send you that same nonce and checksum back to your u2f key along with a different number your physical key will then use the nonce and checksum from the server to regenerate the private key and since each physical u2f key uses a different secret for key generation Only the original key you used to register will work Your u2f key then signs the number that was sent to it with the private key and the result is sent to the server Which then unlocks it with your public key from your u2f key to allow you to access it It sounds complicated But all of this happens without any intervention from the user other than simply plugging in a USB stick and the benefits are definitely worthwhile because it also protects against phishing attacks Numeric authentication codes are definitely way better than having no two-factor protection at all But they can still be stolen if you accidentally enter them on an imposter website u2f helps to stop this by using the original domain of the site as part of the Secret sauce it uses to generate the private key for that account So if you use your physical key to log in to an attackers website the response it will Send to that hostile server will be completely useless and the bad guys won't be able to use it to get into your account and The companies that make u2f keys have added their own additional security features on top of this base public key encryption strategy the ever popular YubiKey for example requires you to touch a sensor on the USB stick Before it authenticates ensuring that there's an actual human trying to gain access and not some kind of malware box With all of that said as great as this kind of physical security can be You still need to make sure you don't do anything dumb like drop your keychain in a shady part of town which Racing against the clock as a freelancer. Well, it's challenging but thanks to the growth of the internet There's never been more opportunities for the self-employed and to meet this need fresh books created their cloud accounting software Designed for the way you work fresh books is the simplest and easiest way to be more productive more organized and perhaps Most importantly get paid faster. You can create and send professional-looking invoices in less than 30 seconds You can set up online payments with just a couple of clicks and get paid up to four days faster You can see when your client has seen your invoice and put an end to the guessing games And they've got fully featured apps for both Android and iOS So you can take the fresh books experience with you on the go. They're offering a 30-day unrestricted free trial to our viewers So to claim it go to fresh books comm slash tech wiki and enter Techquickie in the how did you hear about us section? We'll have that linked below so thanks for watching guys dislike or like check out other channels leave a comment with video suggestions and What was he gonna say? You guys I know what I was gonna say not you. I meant the viewer was supposed to guess subscribe You know what forget it. I quit"}