The Diocese of St. Pölten deploys the YubiKey to protect privileged users against modern cyber attacks
The Roman Catholic Diocese of St. Pölten (Diözese Sankt Pölten) was established in 1785 within the ecclesiastical province of Vienna, Austria. Today, it includes 422 parishes, involving the work of over 500 priests and external employees, and 300 staff at the diocese headquarters.
Key results:
Industry
- Religious organization
At a glance
- History dating to 1785
- 422 parishes in Lower Austria
- 900 employees
Protocols
- Smart Card/PIV
- FIDO2/WebAuthn (Passkeys)
- OTP
Yubico solutions deployed
- YubiKey 5 NFC
“We were able to use the YubiKey for so many systems and services, far beyond our original scope. While we first set up Smart Card on the YubiKey, today we also use passkeys on the YubiKey to access Entra ID and other online accounts.”
The critical need to secure privileged access
As the Diocese of St. Pölten utilizes technology to manage many aspects of its affairs, cyber attacks could place parishioner data or financial information at risk, and lead to costly liabilities or a loss of public trust. For example, a threat actor compromised the Diocese of Virginia in 2023, maliciously diverting over USD $485k (€459k) to unauthorized accounts.
As the Deputy Manager of IT for the Diocese of St. Pölten, Christian Filzwieser understood the vulnerabilities associated with legacy authentication methods such as passwords. Across the globe, 90% of all cyber attacks leverage social engineering, with compromised credentials and phishing representing the most commonly successful initial attack vectors. Privileged credentials, in particular, are a prime target for cyber criminals, as they allow for means of entry into a network at a higher level, with wider access to exploitable data or systems.
To reduce the threat associated with its privileged IT and administrative users, Filzwieser wanted to eliminate passwords from all administrative accounts and systems. “Our privileged accounts were only protected with passwords, which was not secure enough,” says Filzwieser. “We wanted to align our approach to managing authentication with best practices and leverage modern technologies to ensure our data and systems would be secure and efficient.”
Going passwordless with highest-assurance security
The Diocese of St. Pölten consulted with Antares-NetlogiX, an existing partner wellrecognized for developing and supporting complete IT solutions. Antares-NetlogiX recommended the YubiKey. “We are big fans of YubiKeys and use them within our own company, as well as with many of our customers,” says a cybersecurity specialist at Antares-NetlogiX. “We recommended the Diocese of St. Pölten use the YubiKey for all administrative tasks.”
Filzwieser chose the YubiKey 5 Series, a hardware security key lineup offering strong phishing-resistance and enabling passwordless authentication. With its multi-protocol authentication capabilities, such as FIDO2/WebAuthn (passkeys), Smart Card/PIV and OTP support, any security from the YubiKey 5 Series works seamlessly with both legacy and modern environments. Organizations can stop modern cyber threats like phishing in their tracks and eliminate account takeovers. With the YubiKey the Diocese achieved its goals for the project and modernized and secured its IT environment.
“We needed to upgrade authentication for our in-house IT team. We wanted to be state-of-the-art and only use best practices and modern technologies. Upon the recommendation of Antares-NetlogiX, our trusted partner, we rolled out the YubiKey.”
The YubiKey secures Microsoft Entra ID
The YubiKey is designed to be easy to deploy, supported by hundreds of applications and services out-of-the-box, both in the cloud and on-premise. With the help of Antares-NetlogiX, Filzwieser’s team was able to seamlessly implement the YubiKey into Diocese systems, including both legacy systems and cloud resources protected by Microsoft Entra ID.
Initially, the Diocese of St. Pölten intended to deploy phishing-resistant authentication using only the Smart Card protocol, but the flexibility of the YubiKey encouraged Filzwieser to increase the scope of the deployment to leverage FIDO2/WebAuthn (passkeys) for passwordless access to Entra ID and other cloud services. For the small number of legacy on-premise systems, the Diocese used the YubiKey as a second authentication factor with the OTP protocol. “We are constantly discovering new functions and compatible services, far beyond the original scope,” says Filzwieser. “It s been fascinating to see where we re able to use the YubiKey.”
“We were surprised by Yubico’s product, both in terms of the security it provides and how easy it was to implement. We are continually amazed at all the new ways we can use the YubiKey to modernize and further improve our security.”
Path to the future with easy-to-use, modern authentication
Filzwieser’s IT team chose to roll out the YubiKey slowly, gradually introducing IT staff to the YubiKey and its security benefits. With the help of Antares-NetlogiX, Filzwieser created a guide to help users self-enroll their YubiKeys as Smart Cards. While some older employees were initially slow to adapt to change, the security benefits and the ease of using the YubiKey for passwordless authentication has smoothed the transition. “Everything has become simpler, more transparent and more secure,” says Filzwieser. “All while using a very manageable level of resources —both financially and in terms of personnel. The benefits far outweigh the costs.”
“The YubiKey not only helped make authentication more secure, it is now also less complex. Our staff enjoy how easy it is to use the YubiKey.”
The IT team had full support from senior management, helping set the project up for success and showcasing that even historic organizations can implement best-ofclass modern IT infrastructure–and the journey isn’t over yet. Looking ahead, as the concept of privileged users expands beyond the IT function, the next step for the Diocese of St. Pölten is to close more gaps in its security by extending the use of the YubiKey to management personnel.