About The ISC Project
The Information Safety & Capacity (ISC) Project provides advanced, sustained information security and capacity building assistance to civil society organizations, human rights activists, and independent media in countries where free expression, journalistic reporting, online communications, and advocacy are critical to societal liberalization and development, but potentially risky to personal safety. The ISC Project provides mentoring and support services to assist stakeholders in securing their online and mobile communications, so that these platforms can be safely employed in support of civil society development and the protection of human rights.
This case study focuses on the value that YubiKey brings to The ISC Project and presents two brief stories illustrating how YubiKeys are being used by two organizations where confidentiality and security are top concerns for members in the field.
Quote and stories below are from ISC Project team member under terms of anonymity.
THE NEED FOR STRONG AUTHENTICATION
“The ISC Project works with civil society organizations and individuals all over the world who may not be very well versed in technology, but still rely on email communications for their work. Many of them have experienced hacking incidents or seen their email accessed by unauthorized users in other ways. Many of them have had their private information end up in the wrong hands and used to discredit their activism.
“To address this issue, we introduced them to YubiKeys, which provide a very tangible and easy-to-understand solution to implementing two-factor authentication for their email accounts. YubiKey allows ISC Project partners to understand this verification process in practical terms.”
“Yubico’s collaboration with Google Apps takes authentication to a whole new level. ISC Project has worked with our partners to use Google Apps and move their email servers outside of their countries. This is important because many of them are at risk of office raids where confiscation of their email servers would disrupt their operations and expose sensitive conversations that could lead to targeted harassment or re-victimization of their network of trusted contacts.
“If they would lose control of access to their conversations, this would likely ruin trust relationships and make their work difficult, if not impossible. Now, given Yubico’s integration with Google Apps, this process becomes even easier. As more services adopt FIDO Universal 2nd Factor (U2F) technology, this will hopefully grow to be standard practice.”
“In our experience, two step authentication is a difficult concept for some of our partners to grasp. Couple this with terminology such as, continuously changing time-based tokens and most users we train completely lose interest in the topic. However, with a YubiKey and its unique key shaped design, there is a very easy to understand comparison to how people commonly use keys in everyday life.
“Another important reason why our local partners find Yubico products, especially the U2F keys, so useful is the fact that their adversaries know at least two ways to successfully attack traditional two-factor authentication systems. One way uses the fact that the governments have access to mobile operators and could make duplicate sim cards. Another is through phishing websites which ask the user to provide the second factor – We saw two cases like that in Ukraine.”
STORIES FROM THE FIELD
Who: A partner election monitoring non-governmental organization (NGO) in Eastern Europe to which confidentiality is very important.
Use Case: Since the organization monitors elections and reports on election fraud, it has used the standard YubiKeys for several years. Before they were introduced to YubiKeys, some staffers were unable to remember longer passwords to protect their equipment and online accounts. The initial deployment of YubiKey products happened after a security audit had revealed that some staffers were using really weak passwords for sensitive information.
More recently, the organization has been introduced by the ISC Project and Google Ideas to Yubico’s FIDO U2F Security Key and staff began using it for Google accounts in Chrome. The organization also tests U2F keys for the admin panels of its own online infrastructure. It likes YubiKeys because the use of a physical object (“something you have”) works better for them than shared secrets such as passwords (“something you know”).
Who: A human rights organization in Eastern Europe that operates multiple projects in the region.
Use Case: It’s a large organization and there is only one person in charge of information and communications technology (ICT), so it was looking for an easy solution to manage passwords. Then they learned about the first organization’s experience (above use case) and decided to implement the same system, YubiKey with static passwords. The ISC Project provided them with YubiKeys and two factor authentication training. This allowed the organization to protect key staff who access sensitive documents for work.
In late 2015, the organization also received a donation of Yubico’s FIDO U2F Security Keys. Now the IT department is testing Google access.
Find out more about YubiKey for Businesses