The Beaumanoir Group in France secures privileged accounts with the YubiKey

The Beaumanoir Group protects against targeted cyber attacks with phishing-resistant MFA and the YubiKey

François Kayser, IT Domain Director, Infrastructures Flow and Security, felt that multi-factor authentication (MFA) was the only certain way to significantly lower the risk of targeted attacks. “There are many challenges in my day-to-day work,” notes François Kayser. “But one of my main tasks is ensuring access to information systems is secure.” 

At first, the IT security team rolled out one-time passcode (OTP) solutions installed on work or personal smartphones which generate a random passcode for two-factor authentication. However, like many organizations, Beaumanoir realized mobile-based authentication was not appropriate for users who did not have work phones or for situations that required more versatility or high-assurance security. 

At Les Assises de la Sécurité conference in 2019, François Kayser met with Yubico and learned about the YubiKey, a hardware security key that provides phishing-resistant MFA, with multi-protocol support including FIDO U2F, FIDO2/WebAuthn, PIV/Smart Card and OTP. After evaluation, the team decided the YubiKey offered the flexibility and versatility needed to secure privileged user access and to help protect a number of its more vulnerable point-of-sale (POS) systems.

“There are a lot of opportunistic attacks, and we have detection and protection systems against those, but for attacks that are more targeted, we need to lower risk with regard to external access. This led us to MFA and the YubiKey.”

The YubiKey offers portable and trusted security for privileged users across devices, apps and platforms

In his role, François Kayser has to support access to corporate IT systems such as email and Microsoft Office 365 resources, as well as privileged access to data, devices or systems operated by technical administrators, network system administrators, developers and Software-as-a-Service (SaaS) application system admins. 

Beaumanoir leverages public key infrastructure (PKI) to provide high-assurance authentication to on-premise workstations, but this solution on its own lacked flexibility for remote and cloud-based administrator access. For this, Beaumanoir chose the YubiKey 5C NFC, which can support PKI across a wider range of devices and cloud-based applications through both Smart Card and FIDO2/WebAuthn standards. François Kayser, who is constantly on the go, chose to use the ultra-small YubiKey 5 Nano, which is designed to securely stay in the USB port of his laptop.

With the benefit of hindsight, François Kayser notes that the YubiKey was ultimately more cost-effective than the alternative solution for privileged access which is purchasing work phones to support OTP for administrators. The total cost of enterprise mobility can be as high as $1,840 per owned device, including the cost of purchasing devices, recurring service costs, enterprise device management software and security software, not to mention the cost of device replacement or support. In a Total Economic Impact (TEI) study conducted by Forrester Consulting, the YubiKey demonstrated a net present value (NPV) of $3.2 million and an ROI of 203% over three years.

“We use the YubiKey when we have administrator access that requires MFA and when MFA cannot be provided by a mobile phone, whether that concerns on-prem or SaaS applications,” says François Kayser. “The advantage of the YubiKey is its versatility and the ability to do both OTP and also store certificates on the key.”

Beaumanoir uses the YubiKey to store the authentication certificates generated by their PKI to support remote privileged access via VPN to secure systems. The YubiKey’s hardware design enables the secrets to be stored on a separate secure chip built into the YubiKey, so it cannot be copied or stolen, offering the highest level of security and a portable root of trust for access to on-premise and cloud-based systems. 

The process of moving certificates from a TPM chip in shared workstations to the Yubikey was “relatively simple,” according to François Kayser, with very little documentation needed to onboard users to their YubiKeys.

Deploying the YubiKey to secure POS systems

As a retail group, Beaumanoir places a high priority on its POS system(s) security to ensure transactions and customer data are kept safely. In addition to physical security precautions and other controls, Beaumanoir runs filtering based on the output IP of its networking technology. However, a limited number of stores and POS systems were outside the MPLS network, relying only on username and password for access. 

Beaumanoir deployed the YubiKey 5C NFC to secure access to these POS systems, introducing a second factor to the authentication process.

“The advantage of the YubiKey is its versatility and the ability to do both OTP and also store certificates on the key.”

Beaumanoir and Yubico – Building a modern cybersecurity approach for the present and future

The high availability of sensitive data makes the retail and hospitality industry a lucrative target for cyber attacks including phishing, ransomware and data theft. In fact, 69% of retail organizations report being attacked by ransomware in a single year. It is therefore essential that the retail sector globally lowers cybersecurity risk by adopting modern, strong authentication. The YubiKey provides Beaumanoir with highest-assurance, phishing-resistant MFA to both protect privileged access and allow a frictionless solution for POS systems.