You Are Here

The Key to Strong, Affordable Authentication

Last Updated: 09/10/2023

When I first saw a Yubikey in use, I was fascinated as much as I was confused. Didn’t we move away from hardware tokens years ago? Are we not using mobile devices for MFA instead?

Fast forward 2 years and we have implemented Yubikeys within Bytes, as well as having conversations with our clients about how Yubikey can be an inexpensive way to heighten security… Interested? Then read on…

With every solution, there must be a challenge. The following challenges are the most common I have come across when consulting clients:

  • MFA is now a mandatory requirement, not a nice to have. But we have seen a trend whereby businesses only apply this to a select number of services (mainly cloud services and in some cases VPN, but not really to on-prem services).
  • SMS and Push-Based Notifications are not as secure as we think and are susceptible to interception and phishing-based attacks.
  • Security Budgets are decreasing; the cost of a breach is increasing. Looking for options that are value for money and will make an impact is key.

Enter Yubikey

Yubikey is a small device that makes MFA/2FA as simple as possible. Instead of a notification sent to your device or having a code texted to you, you simply plug in your key (via USB or Lightning) and press a button.

Each Yubikey stores a unique key and generates a unique code when the button is pressed, this code is used to confirm your identity and authenticate you.

Yubikeys can be setup to work with different systems, like Azure AD, Okta and even Active Directory. There is multi-protocol support for Yubikeys, with most versions supporting: FIDO (U2F & FIDO2), OATH-TOTP, OATH-HOTP, Smart Card (PIV) and OpenPGP. Whilst there is software to managing and configuring the Yubikeys, there isn’t a software cost for using them, only the cost of the physical token.

Why use Yubikey?

It’s easy to think: “I have a phone; can’t I use this for MFA?” and that’s absolutely correct. However, Yubikeys provide an alternate option and allow for different use cases.

For example, some businesses do not supply corporate mobile devices to each user and – on the other hand – some users might not want to use their personal device for business purposes. In this case, Yubikey makes sense as it’s a fraction of the cost of a mobile device and will allow the user to securely authenticate.

Another use case (and one I want to draw attention to) is that Yubikeys can be used as a “Smart Card”, which in effect means that Yubikeys can be used to secure and authenticate users to on-premises systems. At Bytes, we have utilised Yubikeys to secure internal resources that our administrators access. So, instead of using the good old username and password to RDP to something, our admins need to authenticate via Yubikey. You can configure Yubikeys to host a certificate, this allows for an easier implementation of strong multifactor authentication utilising the native Windows tools. This use case effectively stops admins from having to type in their password when accessing systems, which in turn helps to deter social engineering attacks against them (most commonly, a social engineering attack will look to gain the password from a privileged user).

Now this is interesting, as most MFA systems don’t extend much into on-premises and are designed mainly for cloud services. Yubikey leverages the Microsoft native tools (Active Directory Certificate Services), so there isn’t an additional software cost to use this, only the cost of the key itself. In terms of value for money, this is a great option.

Summary

We are not saying: “don’t use MFA on mobile devices”, there is very much still a place for that. But the message is that there are different options and ways to extend the security that MFA provides to systems that might not be covered by a typical MFA provider. Yubikey gives us a sensible option which is both secure and cost effective, and in times of IT budgets becoming less and the expectation for security to be high, it would be irresponsible not to consider such an option.

My advice is to jump onto Amazon, spend the ~£60 for a Yubikey, and tinker around with one. Start small eg. enrol into Azure AD, Okta or Windows Hello, and then consider the use case for securing on-premises systems. I myself own a few Yubikeys, and use them for my Azure AD Accounts, my Okta Account and even my personal KeePass account. 

Finally, I want to thank Bytes Software Services for allowing me to post this blog on my personal site. Original Post can be found here: Yubikey Blog: The Key to Strong, Affordable Authentication (bytes.co.uk)

Thank you for reading!

 

Leave a Reply

Your email address will not be published. Required fields are marked *