White paper: Bridge to Passwordless best practices
Deploying enterprise software or services that lack a management console is comparable to jumping out of a plane without a parachute. It’s just not done without damaging consequences. Today, Google delivered a parachute to all high-flying enterprises seeking managed two-factor authentication for their Google Drive for Work deployments. The company updated the Drive for Work Admin console to include tools for managing Yubico’s U2F-compliant keys, which are essential to Google’s two-step verification (2SV) security protection.
Compatible YubiKeys give end-users strong authentication while Google’s Admin console provides administrators the tools for deploying, monitoring and managing, at scale, keys based on the FIDO Alliance’s Universal 2nd Factor (U2F) protocol. YubiKeys support the U2F protocol that Yubico co-created and that works with Gmail and other U2F compatible services.
This milestone tracks on Yubico’s vision for U2F and a world where one key can authenticate to many services. And it signals a powerful evolution of the enterprise value in Yubico’s lineup of FIDO-compliant keys, and the emerging scalable, open authentication FIDO standard. Enterprises and organizations now have a richer package including the backend management infrastructure, a universal client (Chrome), and a hardened security device in U2F-compliant keys.
A Yubico U2F authenticator is easily enrolled by the end-user, who inserts it into a USB port and touches the button when prompted (see video below).The U2F protocol uses public key cryptography and is specifically designed to protect against man-in-the-middle and phishing attacks and preserve privacy. In addition, YubiKeys are resistant to malware because nothing can be written to them, and their secrets are protected by a secure element.
Coupled with Google Drive for Work, which offers data storage and collaboration tools, YubiKeys shut out hackers, phishers, and other virtual ne’er-do-wells. Even with your username and password, the bad guys can’t get into your account without also having stolen your physical YubiKey.
With this model, end-users, partners and contractors can bring their own security device and control their identity while the enterprise can control access not by assigning passwords, but by activating or deactivating U2F-compliant keys — without ever needing to collect and store the end-user’s secrets.
Security for Google Drive for Work has been defined by username and password. And previous 2SV options all required the addition of unmanaged codes delivered via SMS, mobile apps or printouts, which have their own vulnerabilities to man-in-the-middle attacks and increase friction for end-user adoption.
Google’s 2SV management tools come to Drive for Work without the need to install any additional software because the tools are embedded in the existing Admin console.
With new administrative features for YubiKeys, organizations now have the management piece they need to implement and control 2SV rollouts. This relegates passwords to nothing more than an identifier, thus eliminating it as a form of account protection. (Expel your sigh of relief here).
For enterprises, this is the strong authentication parachute they should be demanding.