Weak passwords and the employees that use them are the biggest threat to IT security, Raj Nagalingam, Senior Systems Engineer at LinkedIn, told the audience at last week’s Oktane15 conference.
To combat such threats at LinkedIn, Raj has turned to Okta’s multi-factor authentication as one way to protect resources and employees (often times from themselves).
Raj and Jerrod Chong, Vice President of Solutions at Yubico, walked the Oktane15 audience through the YubiKey’s benefits and strengths, and the strategy and tools LinkedIn used to deploy Okta’s cloud-based Adaptive Multi-Factor Authentication with a one-time password (OTP) generated by a YubiKey.
LinkedIn’s user login begins with entering a user name and password into Okta. If valid, Okta pops up a window asking the user to insert and touch the button on their YubiKey. The Okta platform checks to ensure the YubiKey itself is registered to the user before verifying the OTP. Upon successful OTP validation using the Okta validation service, the user is allowed to log in.
Raj stresses that YubiKey’s OTP is harder to phish and is resistant to malware since nothing can be written to the key. And, he added, users are instantly hooked on the ease-of-use.
“If you ask your mom to do this, she can,” he told the audience.
LinkedIn’s current plan is focused on Yubico OTP, but in the near future, the company wants to move to authentication using the FIDO Alliance’s U2F protocol that is based on public key cryptography.
During the session, LinkedIn also reviewed how it used the security and policy framework developed by the Cloud Security Alliance (CSA) to decide how to enforce second-factor authentication for applications. The framework categorizes applications into three levels — Limited, Confidential, and Highly Confidential — each of which define required access controls for apps.
“We grade every app in our environment and our security team makes decisions based on data classification,” said Raj. “In today’s world, everyone works in cloud apps and they use passwords that are static and weak. I recommend enabling multi-factor authentication.”
And he thinks the YubiKey has the right stuff. “It’s fast and easy. Just insert and touch.”