Government of Nunavut turns to phishing-resistant YubiKeys after ransomware attack

The challenge

In November 2019, the Government of Nunavut was the victim of a sophisticated spear phishing attack, which ultimately led to ransomware that took down critical servers, phone lines, and applications. The Government of Nunavut looked to rebuild their infrastructure and regain trust by leveraging Microsoft’s Azure Active Directory (Azure AD) and M365 solutions. Protecting identities and access to applications and services became the top priority.

“Rebuilding trust was a massive undertaking. The scale and logistical challenges of the project were overwhelming. Then the global COVID-19 pandemic added an ever greater level of complexity and isolation that we couldn’t have planned for.”

The Government of Nunavut rebuilt their network over the course of six weeks, and began to look for additional security measures to protect user identities and credentials.

Microsoft + YubiKey

Due to inconsistent cellular networks across Nunavut communities and the constant threat of phishing attacks, the Microsoft Detection and Response (DART) security team recommended Yubico’s phishing-resistant multi-factor authenticator (MFA) called the YubiKey. The YubiKey is a hardware security key that requires no network connection, no power source, and no client software. These factors made the YubiKey easy-to-use in extreme and inconsistent environments, while also significantly reducing phishing attack vectors. Leading industry analyst firms echoed the DART team’s recommendation, leading the Government of Nunavut to begin a proof of concept of the YubiKey.

Nunavut’s healthcare organizations, education system, and first responders all had various Windows-based systems which used different authentication protocols. While this normally would increase complexity and cost, the YubiKey’s multi-protocol functionality allowed government employees to use a single YubiKey to authenticate in their existing systems as a smart card as well as in modern cloud-based systems using the passwordless FIDO2 protocol, which was pioneered by Yubico and Microsoft.

“The YubiKey is the ideal ‘bridge to passwordless’ solution. We are able to provide our staff with phishing-resistant hardware authentication in the traditional environments, while also enabling the transition to passwordless workstation logins within Azure AD across all of Nunavut.”

Delivering Trust at Scale

The Nunavut region embraces short term and temporary workers, such as doctors, nurses, specialists, and engineers. Most conduct three to six month stays, then relocate. The Government of Nunavut has over 1,000 transient employees arriving and leaving each year. While most security products are fairly rigid and would struggle adapting to a dynamic user base, Yubico’s YubiEnterprise Services made it easy for the government to provision, replace, and upgrade YubiKeys to their constantly fluctuating needs.

Microsoft and Yubico’s Professional Services also worked to educate and support Nunavut through this rapid modernization effort.

“The initial rollout has been quite seamless and we have been able to quickly onboard our users. With a strong infrastructure in place and easy access to documentation and support, we are confident that we have taken back security and control”

Beyond authentication in the work environment, Nunavut plans to actively encourage staff to utilize their YubiKeys to protect their personal accounts and data as well, to minimize attack surfaces, while increasing individual security.