Share via

Are yubico key or any key used for authentication worth it?

Anonymous
2024-11-07T13:41:25+00:00

Are yubico key or any key used for authentication worth it? If someone has a compromised device and uses it can the signal sent not be cloned ?

Windows for home | Windows 11 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments
Answer accepted by question author
  1. EmilyS726 225.9K Reputation points Independent Advisor
    2024-11-07T14:30:12+00:00

    Hello, this is Emily.

    The context here is not really clear.

    Yes, Yubico key does use non-cloneable signal. But it is just another type of 2FA method.

    I don't know how you are planning on using it for your device, but it is not meant for logging into your Windows if you are home users/using Microsoft account to sign into your Windows. It, however, can be used on websites using Microsoft account to sign in, such as https://account.live.com.

    So, when you talked about a compromised device, that depends on how you define the compromise itself. A Yubico key will not protect you from Windows login compromise if you are using a Microsoft account. If you are using a local account, then absolutely yes. If you are talking about phishing/malware attack, and the attacker gains your Microsoft account password for websites that use your Microsoft account, the key can definitely protect, but it is no difference than other 2FA method, such as obtaining the approval code on an authentication app on your phone, etc.

    Whether it is worth it is a very subjective question. If you use Microsoft account to sign into your Windows and it is this part you hope to strengthen the security, then it is not worth it.

    1 person found this answer helpful.
    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. EmilyS726 225.9K Reputation points Independent Advisor
    2024-11-07T15:52:43+00:00

    If these are attempts that failed, they are not of concern though. It is completely normal and it doesn't mean your email is compromised. It is more common than we think these days, as our email address can be left in public places when we go to public online forums, sign up for things, etc. Everyone's account (Microsoft or Google, etc) will have a list of failed attemps here and there. For example, if I know what your email address is, I can go to Microsoft website, try to sign in, but obviously I don't know your password, so I will fail. But that will show up in your account activity as a failed attempt. It means the security in place works and there's no need to take any action.

    As for your device, since you are using a local user, you can definitely use a physical key to add another layer of security, but that's to protect the access of your device, it is not about protecting your Microsoft account.

    0 comments
  2. Anonymous
    2024-11-07T15:37:35+00:00

    No they haven't gotten in , its many attempts but failed. I regularly check on have i been pwned to check if my emails have been in any new leaks and if i have to change my password immediately.

    For my device i just use a local user

    0 comments
  3. EmilyS726 225.9K Reputation points Independent Advisor
    2024-11-07T14:42:29+00:00

    When you said your email has been leaked, what do you mean? Did attacker actually get into your email account, or is it just attempts but failed?

    How do you log into your device? Are you using a personal Microsoft account, or are you using local user?

    0 comments
  4. Anonymous
    2024-11-07T14:39:53+00:00

    No i dont use my primary microsoft account for windows but rather for personal emails. My email has been leaked a couple of times. I regularly change my password and all and have 2fa used however i heard they are not as secure as a yubico key so i was thinking about whether it is worth it.

    When i was talking about compromise. I meant if an individuals device was compromised and they log in to their accounts wouldn't a yubico key be useless?

    0 comments