<aside> 💡 Only buy yubikeys from the official store at https://www.yubico.com/ DO NOT PURCHASE ANYWHERE ELSE.

</aside>

TL;DR

OTP is when you put in the number from the application in your phone when you login. Baddies will trick you into giving them that during phishing and its been a common part of phishing kits for many years. Using a hardware token where you touch the token in your computer (see images below) rather than use the code currently is the best protection we have — Use it!

https://prod-files-secure.s3.us-west-2.amazonaws.com/0404df19-b17b-4015-a761-d1209a00da86/05d98725-3911-4221-82a4-54cfe5a5d9aa/Yubikeys_e3e1ebd28ee041318583bcebe25a8701Untitled.png

Untitled

https://prod-files-secure.s3.us-west-2.amazonaws.com/0404df19-b17b-4015-a761-d1209a00da86/95dbf29c-c789-405f-b495-e0b85529c811/Yubikeys_e3e1ebd28ee041318583bcebe25a8701Untitled_1.png

Untitled

Example Phishing

Phishing with OTP (successful 😢)

Yubikeys_e3e1ebd28ee041318583bcebe25a8701GitHub_Phishing_OTP.mov

Phishing with Yubikey (Safe! 💪🔒)

Yubikeys_e3e1ebd28ee041318583bcebe25a8701GitHub_Phishing_Yubikey.mov

Overview

Most online accounts are secured by a username and a password, this is a single factor of authentication (to prove you are who you say you are!), to keep everyone safe the general security guidance is to recommend that users have an additional form of authentication. This means that if a baddie has your username and password they also need something else to login to your accounts!

Some examples of Multi-factor options:

Types of MFA