LinkedIn Secures Employees with MFA, Okta, YubiKey

November 10, 2015 2 minute read

Weak passwords and the employees that use them are the biggest threat to IT security, Raj Nagalingam, Senior Systems Engineer at LinkedIn, told the audience at last week’s Oktane15 conference.

LinkedIn and Okta MFA

To combat such threats at LinkedIn, Raj has turned to Okta’s multi-factor authentication plus the YubiKey as one way to protect resources and employees (often times from themselves).

Raj and Jerrod Chong, Vice President of Solutions at Yubico, walked the Oktane15 audience through the YubiKey’s benefits and strengths, and the strategy and tools LinkedIn used to deploy Okta’s cloud-based Adaptive Multi-Factor Authentication with a one-time password (OTP) generated by a YubiKey.

LinkedIn’s user login begins with entering a user name and password into Okta. If valid, Okta pops up a window asking the user to insert and touch the button on their YubiKey providing LinkedIn with MFA. The Okta platform checks to ensure the YubiKey itself is registered to the user before verifying the OTP. Upon successful OTP validation using the Okta validation service, the user is allowed to log in.

Raj stresses that YubiKey’s OTP is harder to phish and is resistant to malware since nothing can be written to the key. And, he added, users are instantly hooked on the ease-of-use.

“If you ask your mom to do this, she can,” he told the audience.

LinkedIn’s Move To U2F

LinkedIn’s current plan is focused on Yubico OTP, but in the near future, the company wants to move to authentication using the FIDO Alliance’s U2F protocol that is based on public key cryptography.

During the session, LinkedIn also reviewed how it used the security and policy framework developed by the Cloud Security Alliance (CSA) to decide how to enforce second-factor authentication for applications. The framework categorizes applications into three levels — Limited, Confidential, and Highly Confidential — each of which define required access controls for apps.

“We grade every app in our environment and our security team makes decisions based on data classification,” said Raj. “In today’s world, everyone works in cloud apps and they use passwords that are static and weak. I recommend enabling multi-factor authentication.”

And he thinks the YubiKey has the right stuff. “It’s fast and easy. Just insert and touch.” Discover more about YubiKey MFA and the companies and programs, like LinkedIn, we support from our Works with YubiKey page.

Share this article:

Recommended content

Thumbnail

Stop enterprise-wide identity phishing with modern strong authentication

Learn best practices to protect against enterprise-wide identity phishing and why mobile authentication just isn’t good enough.

Thumbnail

Zero Trust is the new regulatory minimum for Federal agencies: what does that mean for authentication?

The deadline is looming for federal agencies to implement impersonation-resistant multi-factor authentication (MFA), just one of the new stronger security requirements under President Biden’s new cybersecurity executive order (EO 14028). The EO puts security front and center to address some of the worst cyber attacks against the federal government, setting up new federal compliance expectations ...

Thumbnail

Modern MFA for the Federal Government: How the YubiKey Meets U.S. Federal Government Requirements

Learn how the YubiKey, a DOD approved alternate authenticator meets federal PIV/CAC requirements and government compliance regulations.

Thumbnail

Modern Authentication for the Federal Government: Enabling Mobile, Secure Authentication in Zero Trust Environments

Learn how DOD approved hardware security keys such as the YubiKey are ideal to fill PIV and CAC related authentication gaps across the federal government, and meet the MFA mandate in the Biden Executive Order 14028.