White paper: Bridge to Passwordless best practices
When security consultant Ian Qvist talks about YubiKeys, he does so with a knowing grin and the knowledge he’s tightening security without adding complexity. Qvist works with customers such as government agencies and Danish banks whose IT teams are looking for answers to specialized security needs.
“We use YubiKeys in a lot of places,” says Qvist, an eCrime senior consultant for CSIS Security Group A/S in Denmark. “They are so flexible we use it wherever we want to.”
The YubiKey is a simple USB-key that looks like a keyboard to your computer, and with a simple touch delivers two-factor authentication to secure logins.
Qvist says CSIS, which stands for Cyber Security and Intelligence Services, discovered the power of YubiKeys when he rolled out LastPass password manager internally to the company’s employees. Being security minded, the employees were concerned that all their passwords were in one place. Qvist quieted concerns by strengthening authentication to the password manager with a YubiKey.
Jens Christensen, security researcher at CSIS Security Group A/S in Denmark, holds up a Yubikey. While small, it is giving his business and customers a big assist on security.
“LastPass was the first place we used YubiKey,” he said. “Insert the key, touch it and it is setup, anyone can do that.”
Ever since, the 10-year-old company has been finding spots in government and banking where the YubiKey can boost security and protect end-users, systems and digital resources. And now the YubiKey is an important element in the security services CSIS offers clients.
Today, YubiKeys also are used at CSIS to bolster security for other services including Microsoft’s Remote Desktop Protocol, VPNs and domain passwords.
“Because the YubiKey can be configured, we use them for many different applications,” Qvist said. “That is amazing for us. And we are coming up with new ways to use them.” YubiKeys can be set up for a long static password or the open authentication OATH standard.
He says from a security perspective the ease of use and configuration options are what make the YubiKey so valuable.
CSIS uses Yubico’s personalization tool to deploy YubiKey security with many different authentication methods.
YubiKeys have support for Yubico one-time passcodes, Open Authentication (OATH) including HOTP and TOTP , Challenge-Response and Static Passwords. The YubiKey NEO also supports Near-Field Communication (NFC) for using YubiKey with mobile devices, smart card functionality, including PIV and Open PGP, and later this fall the FIDO Alliance’s Universal Second Factor (U2F) protocol.
CSIS uses both the YubiKey Nano form-factor, which tucks inside a USB port and can be left in the computer, and the Standard form-factor, a small, hermetically-sealed device that can attach to a keychain.
YubiKeys don’t require any software installation, drivers or batteries to operate. But customers like CSIS do use Yubico’s free open source software to customize keys and create their own backend validation servers and services. The Yubico open source tools are also used to program and control YubiKey encryption secrets, or add a ModHex Calculator among other options.
Qvist only began using YubiKeys a year ago, which means he has gotten to warp speed very quickly. Now they are part of everyday operations.
“Our different departments have different patterns of work and we don’t have to disturb those patterns,” he says.
Qvist says one particular customer had a large IT department with a few security guys who scrutinized everything. “When we gave them YubiKey, they saw how it worked and how [it applied] to their use cases. That got ideas rolling around in their heads,” he says.
Enough ideas in fact to fuel more knowing smiles from Qvist.
John Fontana is the Identity Evangelist at Yubico. Also follow his Identity Matters column on ZDNet