Abtis secures customers’ digital futures with YubiKeys
Protecting the IT supply chain with phishing-resistant MFA
Shaping customers’ digital futures and enabling productivity from anywhere
Abtis is an IT services provider based in Pforzheim, Germany, specializing in Microsoft solutions. The modern workplace is increasingly reliant on cloud services, a trend which was supercharged during the pandemic as many employees moved to remote work. Abtis has a clear mission: to shape the digital future of its customers and enable their journey to digitization, so that employees can easily work from anywhere, including while on the move. New ways of working bring new challenges, including ensuring that all data stored on the cloud is secure. To mitigate risk, Abtis puts an emphasis on maintaining a strong cybersecurity team and equipping them with the right tools.
Sebastian Thum is a senior SOC analyst at Abtis. He is part of the company’s cyber defense operations center, responding to cybersecurity incidents experienced by customers. The center is also the first point of contact for internal cybersecurity issues. As an IT services provider who looks after customers’ critical infrastructure, Abtis is part of customers’ IT supply chains. The recent NIS2 directive dictates that risk management by digital service providers in the EU will be increasingly regulated in the years to come, and Abtis is already well-prepared. “We are constantly monitoring where there is risk,” explains Thum. “To protect our customers, we also have to pay attention to our own safety. We’re mindful of maintaining a very high standard of security.”
Key results:
- Passwordless authentication
- Secures remote login
- Protects IT supply chain
- Smooth user experience
A growing need for strong, phishing-resistant MFA
As a cybersecurity expert, Thum is well aware of global security trends. “When we talk about the global threat situation,” says Thum, “we keep coming back to the issue of Zero Trust. There are now three key issues to be aware of. Firstly, identity, which we can most effectively protect with a second authentication factor. Then, we also have to pay attention to the devices we use, whether we are working from home, from a train or anywhere else. Lastly, of course, we have the data. Thanks to cloud systems we can access our data wherever we are, and so we have to give this data appropriate protection. That’s what attackers are targeting: they want to take over identities, to get onto devices and to siphon off company assets in the form of data.”
“As most people now know, telephone calls and SMS messages are not secure. We needed to look for an alternative offering the kind of security we can rely on – that’s when we came across YubiKeys.”
At the core of a successful Zero Trust strategy is strong authentication, especially the kind that cannot be bypassed by hackers and offers strong resistance to phishing and other credential-theft tactics. Working with Microsoft products, Abtis had long been required to use multi-factor authentication (MFA), but there was a growing awareness that not all MFA is created equal. “To ensure the highest possible level of security we make sure we use the best possible products, and we are always looking around at the latest developments. We always have to be using state-of-the art technology. Until recently we used the Microsoft Authenticator app, a telephone call or an SMS message. We can’t just use one second factor – we also require another factor to function as a backup. And since, as most people now know, telephone calls and SMS messages are not secure, we needed to look for an alternative which could offer the kind of security we can rely on.”
YubiKeys raise the bar for security over mobile authentication
It was during this search that Abtis first heard about YubiKeys, Yubico’s multi-protocol security keys, based on modern authentication protocols, which offer phishing-resistant MFA and eliminate account takeovers. “The biggest advantage of YubiKeys and Yubico solutions,” says Thum, “is the simplicity behind them. It’s not difficult to plug in or tap a YubiKey. YubiKeys are easy to use, reliable, robust and they don’t break. Another factor is that many employees don’t want to use their private phones for authentication, especially if that means installing an app, and not every employee gets a work phone. This is often a crucial point for Abtis customers, who can increase security without having to provide new phones for their whole company. At the end of the day, an iPhone 14 is a lot more expensive than a YubiKey. That’s a huge plus point.”
“YubiKeys are easy to use, reliable, robust and they don’t break.”
Abtis purchased YubiKey 5 NFCs, so employees can authenticate either using USB-C connections or through NFC (contactless) on their smartphones. The YubiKeys are used for FIDO2 passwordless authentication for computer login and SSO, using Microsoft Entra ID with Conditional Access. Employees also have the option to use the YubiKeys as a second authentication factor for other online services too, including Paypal. “Employees use the YubiKey in several scenarios,” says Thum, “including remote work and on mobile devices. We’ve rolled it out across the board to all our employees.”
A swift and successful hardware MFA deployment
It took only two months to deploy YubiKeys to all Abtis employees. The YubiKeys were either sent in the mail or distributed on-site at offices, along with step-by-step instructions on how to set up the keys. A fixed date was set by which all SMS and telephone authentication would be removed. And, the YubiKeys had to be in use by that date, or else access to accounts would be lost. Abtis didn’t stop with its own employees – they also encouraged their customers to use YubiKeys. “After more than a year of using YubiKeys ourselves we can say it was successful,” says Thum. “We’re also already celebrating success in projects where we’ve supplied customers with YubiKeys. There are more and more customers who actively use this solution and you see more and more applications. What I like best is that customers can also secure their VPN solutions with YubiKeys. Of course, this really adds value for the customer.”
Abtis doesn’t restrict how employees use the YubiKeys. “The YubiKey is very widely accepted in our company, and people like them. We strongly encourage employees to use the YubiKey in their personal lives too,” says Thum. “And our employees are actively doing this. The great thing about them is the large number of profiles you have. I can use it for work, but I can also save personal accounts on the same YubiKey. This really benefits our employees.”
Phishing-resistant MFA significantly reduces risk against cyber threats
Thum is certain that deploying YubiKeys has prevented cyber attacks:
“We hear time and time again how attackers get past multi-factor authentication because a careless employee took a call or pressed “Confirm” on the Authenticator app. This problem doesn’t exist with the YubiKey.”
This ensures that Abtis and their customers have increased the level of safety for their systems and data. “You can say that the YubiKeys have improved our security,” says Thum. “The biggest benefit is that we have a phishing-resistant MFA solution and additional protection for our employees. There is also a cost benefit: we’ve been able to save a lot of money with it, which we can also recommend to our customers again and again.”
“Strong MFA isn’t a question anymore – it’s now become mandatory,” says Thum. “Stop thinking about it and just do it. People used to say ‘no backup, no mercy’. Today you can say ‘no MFA, no mercy’. You should use phishing-resistant MFA for all systems you can, both business and personal. My advice to everyone is to stop using telephone calls and SMS authentication. The Authenticator app is still secure but, of course, with the YubiKey you can save money and go without work phones.”
“The biggest benefit of YubiKeys is that we have a phishing-resistant MFA solution and additional protection for our employees. There is also a cost benefit: we’ve been able to save a lot of money with them.”