Keytos Security enables secure passwordless environments with the YubiKey
A trusted partnership to help eliminate passwords and strengthen phishing defense in corporate and government environments
Keytos Security streamlines passwordless onboarding with YubiKeys that support modern FIDO authentication
With a mission to make the path to passwordless authentication a stress-free experience, Keytos Security was founded in 2021 by Marcos and Igal Flegmann during the height of the pandemic and the growing need to support and secure a distributed workforce.
While passwords and traditional multi-factor authentication (MFA) approaches are highly phishable and vulnerable to attack, modern MFA approaches, including passwordless MFA, offer strong phishing-resistance proven to stop account takeovers in their tracks. Keytos Security works with a wide spectrum of organizations, from small companies to governments and organizations bound by the need to adopt phishing-resistant MFA in the form of FIDO2 and/or smart card to meet compliance, supplier contract or cyber insurance requirements. Many of these organizations have extensive Microsoft infrastructure so securing and enabling passwordless in these environments was a key necessity. Keytos Security specializes in enabling passwordless FIDO2 authentication with the likes of Microsoft Azure Active Directory, and Office365, among others.
Keytos Security created a toolset to help organizations improve their security by scaling public key infrastructure (PKI) and identity management and streamlining passwordless onboarding. “I’ve been fighting passwords literally since day one of my professional career—the breaches, the high cost of password resets,” shares Igal Flegmann, who is the CEO and co-founder of Keytos Security and had previously overseen the passwordless deployment at Microsoft itself. “But I realized early on that the transition to passwordless is easier said than done. You need the right tools and a clear strategy to make it possible.”
To help make that transition stress-free, Keytos offers advisory services and a toolset that includes extending Microsoft Azure AD identity into hard-to-reach SSH endpoints, a SSL certificate management service, a PKI-as-a-Service product and its flagship EZSmartCard passwordless onboarding tool for FIDO2, smart card and authenticator app. “We help organizations manage identity in the cloud,” explains Igal Flegmann.
When Keytos Security began expanding its EZSmartCard beyond smart card to include FIDO2, they turned to Yubico, and its flagship security solution, the YubiKey, a hardware security key purpose-built for security and enabling secure passwordless workflows due to its support for both Smart Card/PIV and FIDO2 authentication. With the YubiKey, users gain fast and easy access to sensitive systems and data by touching the YubiKey and then entering a PIN, meeting the highest assurance requirements.
Keytos Security is a trusted Yubico partner, picking up where Yubico’s enterprise-ready services such as YubiEnterprise Subscription and YubiEnterprise Delivery leave off. While these enterprise services help global organizations more flexibly adopt modern hardware MFA and enjoy turnkey key delivery services to users around the globe, Keytos Security extends Yubico’s reach by helping organizations eliminate the need for in-person credentialing with self-service certificate-based identity creation and onboarding for key replacement or lost PIN scenarios. The YubiKey is the only hardware security key supported by Keytos Security, a testament to the strong security and partnership on both sides.
Key results:
- Phishing-resistant passwordless MFA
- FedRamp high compliance
- Support for multi-tenant administration
- Easy to use
Yubico and Keytos Security eliminate the high cost of passwords
Passwords cost organizations a lot of money—beyond the obvious risk. Organizations expend effort setting and managing password policies, including costly resets, while employees struggle with poor user experiences associated with forgotten passwords and lengthy mobile authentication scenarios, including SMS one-time passcodes.
“Yubico offers amazing tools, and we offer the software that makes those amazing tools even more powerful.”
For the average organization, 60% of IT service desk interactions are related to password resets at a cost of $10 per ticket and two hours in lost employee productivity. Research has demonstrated that the YubiKey alone can reduce IT support tickets by 75%, without even factoring in Keytos EZSmartCard self-service capabilities to support forgotten PINs.
“Passwords are bad, and humans are bad at setting them, but they are also costly to manage. That human time costs money often more than organizations realize,” says Flegmann. “If you have even just one person working on password resets, and often it’s four or five, going fully passwordless will save money, time and headaches.”
Yubico and Keytos Security partner in enabling Zero Trust and compliance
As organizations have adapted to supporting a remote and hybrid workforce, the need for Zero Trust—an approach that reduces risk by assuming all users, devices, applications, and transactions are potential threats that should be verified and authenticated before access is granted—has expanded. “You don’t have that network boundary to protect users,” explains Flegmann. “You didn’t have the same worries about attacks or revoking SSH keys if people left. The network boundary was enough. With today’s remote and blended workforce that’s no longer the case.”
Keytos Security helps organizations ensure Zero Trust principles extend into all edge cases such as Linux servers and SSL certificates, a process that begins with an Identity Assessment. “We come in and help organizations understand what Zero Trust is and how to achieve it,” says Flegmann. “And we figure out the right solutions.”
In the face of increased attacks, the regulatory environment is now shifting to require more organizations, including all federal government agencies, to adopt phishing-resistant MFA. Most predominantly, White House Executive Order 14028 and OMB 22-09 require federal agencies, and downstream partners, to accelerate Zero Trust adoption with phishing-resistant MFA, including FIDO2 passwordless. Phishing-resistant MFA and passwordless also help organizations achieve Cybersecurity Maturity Model Certification (CMMC).
Keytos Security as a fully passwordless organization
While the YubiKey remains tightly coupled with Keytos Security’s own business offering, it has also been integral to the company’s own internal cybersecurity practices. Igal and Marcos Flegmann implemented the YubiKey from day one at Keytos Security. “Our corporate environment is fully passwordless,” notes Flegmann. “Not a single human or computer has a password.”
“Passwordless is not optional anymore. We’re seeing the trickle down of Executive Order 14028. We’re seeing business contracting requiring best practices of suppliers. We’re even seeing the incentive coming in from cyber insurance. But once people achieve true passwordless, they quickly realize it’s so much better. Our vision is to help organizations get there quickly and in a stress-free way.”
Flegmann shared that one of the first pictures he took after founding Keytos Security was seven YubiKeys plugged into their boxes on the table with the caption ‘This is how you start a security company’. Despite its size, and given Igal’s experience with Microsoft, Keytos Security relies on Microsoft Azure. “With our tool, it’s pretty straightforward,” explains Flegmann, “You log in, you do everything, and you magically get Azure CBA and FIDO2. So, we’re using all Microsoft identity.”
Keytos Security designed its infrastructure to meet FedRamp high standards, allowing the company to work with government and healthcare clients. In addition to its phishing-resistant passwordless MFA, Keytos Security leverages least privilege access controls for its internal systems and segregation of identities and devices, requiring a separate laptop and YubiKey for secure administrative access into Microsoft Azure AD.
“A lot of organizations we talk to have no idea how close they are to passwordless. If they already have Azure AD, it’s only a small leap and all the hassle, time, and expense that comes with passwords can just go away.”
YubiKeys deliver a frictionless and secure user experience
Igal Flegmann has experienced the benefits of the YubiKey dating back to his years working with Microsoft. Back in 2017 when Microsoft began its passwordless journey, the lack of maturity in the toolsets available resulted in a phased deployment over many months, a process that Keytos Security is shaving down to just weeks for current clients. Furthermore, organizations can self-provision the entire passwordless experience from the Azure marketplace, bundling their YubiKeys and their EZSmartCard purchase to quickly deploy and scale their infrastructure in an entirely hands-off capacity.
“At Microsoft, we had to fend off people who were asking when it was their turn to get their YubiKeys,” said Flegmann, “The user education piece quickly went from concern over ‘another security tool’ to ‘This is the greatest thing ever and when can my team get onboarded!’” The same has carried over to experience within Keytos Security and with their clients.
“Passwordless is not optional anymore. We’re seeing the trickle down of Executive Order 14028. We’re seeing business contracting requiring best practices of suppliers. We’re even seeing the incentive coming in from cyber insurance. But once people achieve true passwordless, they quickly realize it’s so much better. Our vision is to help organizations get there quickly and in a stress-free way.”
User experience is a central tenet for Yubico and to Keytos Security: to deliver a frictionless and secure experience for every user and every organization. From Yubico’s development of YubiEnterprise Subscription and YubiEnterprise Delivery services to the partnership with Keytos Security to offload onboarding services from IT departments, the goal is to continually refine the end user experience.
“YubiKeys make security actually easier for people,” says Flegmann. “It removes the complex 19-character passwords and all the clicks. You just plug in your YubiKey, and it does its cryptographic magic to secure your stuff.”
“Our customers have been incredibly receptive to the YubiKey and the EZSmartCard partnership. Every time we have an installation, it stays installed. So, our retention rate is fantastic.”