Danish Experts Tap YubiKey Security for Government and Banks

October 2, 2014 4 minute read

When security consultant Ian Qvist talks about YubiKeys, he does so with a knowing grin and the knowledge he’s tightening security without adding complexity. Qvist works with customers such as government agencies and Danish banks whose IT teams are looking for answers to specialized security needs.

“We use YubiKeys in a lot of places,” says Qvist, an eCrime senior consultant for CSIS Security Group A/S in Denmark. “They are so flexible we use it wherever we want to.”

The YubiKey is a simple USB-key that looks like a keyboard to your computer, and with a simple touch delivers two-factor authentication to secure logins.

Qvist says CSIS, which stands for Cyber Security and Intelligence Services, discovered the power of YubiKeys when he rolled out LastPass password manager internally to the company’s employees. Being security minded, the employees were concerned that all their passwords were in one place. Qvist quieted concerns by strengthening authentication to the password manager with a YubiKey.

Ian-Qvist-CSIS

Jens Christensen, security researcher at CSIS Security Group A/S in Denmark, holds up a Yubikey. While small, it is giving his business and customers a big assist on security.

LastPass was the first place we used YubiKey,” he said. “Insert the key, touch it and it is setup, anyone can do that.”

Ever since, the 10-year-old company has been finding spots in government and banking where the YubiKey can boost security and protect end-users, systems and digital resources. And now the YubiKey is an important element in the security services CSIS offers clients.

Today, YubiKeys also are used at CSIS to bolster security for other services including Microsoft’s Remote Desktop Protocol, VPNs and domain passwords.

“Because the YubiKey can be configured, we use them for many different applications,” Qvist said. “That is amazing for us. And we are coming up with new ways to use them.” YubiKeys can be set up for  a long static password or the open authentication OATH standard.

He says from a security perspective the ease of use and configuration options are what make the YubiKey so valuable.

CSIS uses Yubico’s personalization tool to deploy YubiKey security with many different authentication methods.

YubiKeys have support for Yubico one-time passcodes, Open Authentication (OATH) including HOTP and TOTP , Challenge-Response and Static Passwords. The YubiKey NEO also supports Near-Field Communication (NFC) for using YubiKey with mobile devices, smart card functionality, including PIV and Open PGP, and later this fall the FIDO Alliance’s Universal Second Factor (U2F) protocol.

CSIS uses both the YubiKey Nano form-factor, which tucks inside a USB port and can be left in the computer, and the Standard form-factor, a small, hermetically-sealed device that can attach to a keychain.

YubiKeys don’t require any software installation, drivers or batteries to operate. But customers like CSIS do use Yubico’s free open source software to customize keys and create their own backend validation servers and services. The Yubico open source tools are also used to program and control YubiKey encryption secrets, or add a ModHex Calculator among other options.

Qvist only began using YubiKeys a year ago, which means he has gotten to warp speed very quickly. Now they are part of everyday operations.

“Our different departments have different patterns of work and we don’t have to disturb those patterns,” he says.

Qvist says one particular customer had a large IT department with a few security guys who scrutinized everything. “When we gave them YubiKey, they saw how it worked and how [it applied] to their use cases. That got ideas rolling around in their heads,” he says.

Enough ideas in fact to fuel more knowing smiles from Qvist.

John Fontana is the Identity Evangelist at Yubico. Also follow his Identity Matters column on ZDNet

Share this article:

Recommended content

Seven tips if you’re still scratching your head after reading Biden’s cybersecurity executive order

Yubico works with a lot of federal agencies and contractors, as well as with customers in regulated industries, so we understand the challenges new compliance regulations can bring. The executive order that was released May 12 can be seen as the federal government fully embracing the move toward multi-factor authentication (MFA) for use cases where ...

Entrust to add support for YubiKeys with PIV alternative and PIV derived credentials, advancing secure mobile and desktop authentication

Today marks an important day for expanding Yubico’s reach to support the growing requirement for Government agencies to issue government credentials beyond Personal Identity Verification (PIV) cards. We are celebrating that our partner Entrust will soon launch support for derived PIV credentials for YubiKeys. Customers will be able to take advantage of YubiKeys with derived ...

Yubico and ID.me provide remote identity proofing, YubiKey delivery, and strong authentication for NY Air National Guard (and see our joint presentation at Identiverse)

The pandemic has forced a digital transformation of how and where employees work at an accelerated rate, driving remote work scenarios for tens of thousands of state and federal personnel. These accelerated work scenarios require users to be strongly verified and authenticated. A strong binding between the remote identity proofing process and the authenticator is ...

State of Alert: Multi-factor authentication and the future of data

Read this report to learn why multi-factor authentication is critical for state and local government agencies, the consequences of not strengthening authentication, and how to bridge to a passwordless future