“We use the YubiKey not only for passwordless access and phishing-resistant authentication but also for office entry, parking, printer usage, smart lockers, and device as a service. The YubiKey is a unique pillar uniting digital and physical identities.”
Making the Energy Transition Happen
MAIRE Group is an engineering and technology company which develops sustainable solutions for the energy transition. MAIRE’s 10,000 employees are located at the group’s headquarters in Milan, Italy, as well as in around 50 countries globally. The company has a rich history of innovation and willingness to embrace new technologies not only in its many global projects, but also in its workplace practices and day-to-day operations.
Andrea Sgarlata is Identity Manager at MAIRE, responsible for managing identities of MAIRE employees, as well as external partners and, increasingly, agentic AI. Andrea has fulfilled various roles and seen the company change dramatically since joining in 2010. As the company has expanded, new solutions for managing identities have become necessary.
Fortifying 10,000 Identities in a Zero Trust World
In Sgarlata’s time at MAIRE, managing identities has proven increasingly crucial for the organization’s cyber resilience. “One of the biggest threats we face is identity takeover, identity impersonation or credential stealing, says Sgarlata. For this reason, MAIRE applies a Zero Trust approach: “The Zero Trust principles are quite simple,” says Sgarlata. “Never trust, always verify. This is something we apply every day, on every project.”
Fabio Vaghi, IT Service Management Senior Specialist at MAIRE, sees strong authentication as essential for preventing identity takeovers. “Cyber security is the pillar of my job, says Vaghi, “because we have users that travel around the world, and manage many responsibilities, it’s very, very important to be able to identify the user.
“One of the biggest threats is identity takeover, identity impersonation or credential stealing. We have to always be one step ahead.”
Historically, MAIRE protected user identities with passwords. In a single day, a typical user would be required to enter their passwords 10-15 times, and for enterprise administrators it could be up to 50 times while users’ passwords were often stored in bulk by admins in Excel files. “Users often didn’t remember passwords, says Vaghi. “There was also the risk that the user’s credentials could be used by someone else without any intentional sharing.
The inherent security vulnerabilities, user discontent and burden on support made it clear passwords were not a sustainable method of authentication. “Passwords are not phishing-resistant, says Sgarlata, “because anyone can have my password and impersonate me. It is a legacy method removing passwords is an improvement of your security posture.”
MAIRE’s Journey to Passwordless
In 2019, MAIRE decided to become a passwordless company. “Our CIO, Michele Mariella, is a visionary, says Sgarlata. “Even when technology providers were not ready, he decided to follow this path. This wasn’t just choosing a new authentication method being ready to become passwordless required adapting our environment and moving all applications and services to the cloud.
The centerpiece of MAIRE’s passwordless strategy was the YubiKey, a hardware security key containing the most secure passkeys, that requires a physical touch or tap to authenticate and effortlessly blocks man-in-the-middle attacks. Manufactured in Sweden with a secure European manufacturing process and supply chain, a single YubiKey can store 100 FIDO2 passkeys, as well as Smart Card credentials and more.
The YubiKey’s multi-protocol capabilities meant that MAIRE could implement the technology immediately to replace one-time password and Smart Card use cases, while taking their time to prepare their environment to be fully passwordless with FIDO2 passkeys.
“In the past users needed to insert their passwords 10-15 times per day. For enterprise administrators, it was 50 times. The passwordless scenario is almost heaven. This is the way of the future for us.”
YubiKey: A Pillar Uniting Physical and Digital Worlds
MAIRE quickly started testing how best to utilize the flexible, multi-protocol YubiKey. While multi-factor and certificate-based authentication were seen as the natural place to start, MAIRE always had more ambitious plans in mind. “At MAIRE, when we adopt one technology, we try to fully integrate it and take it a step further, merging different scenarios to make life easier for users, says Sgarlata. This proved no different with the YubiKey, which MAIRE decided to use not only to authenticate to online services, but also for physical access. MAIRE worked methodically, partnering with the technology vendors who supply MAIRE’s gates, printers, lockers, and more. Vendors were initially sceptical, but by partnering together with Yubico, MAIRE was able to make their vision a reality.
“We wanted to use YubiKey for gate access. At first, our vendor said we were crazy, but if we want to do something, we do it. Thanks to the vendors who worked with us, and thanks to Yubico, we did it.”
Deploying Phishing-resistant MFA and Passwordless at Scale
When rolling out YubiKeys, the team began with their close colleagues in IT support before moving on to all employees in Italy. For the worldwide rollout, local IT teams were educated on how to enroll and manage the YubiKeys, and how to support the user lifecycle. If a user loses or breaks their YubiKey, certificates are remotely disabled then an appointment is made with the user, where a new YubiKey is assigned.
Since the initial deployment, YubiKeys are introduced at induction for new employees. “The YubiKey is one of the pillars of the induction process, says Vaghi. “There are 20-25 new employees almost every Monday, and we always take 10 minutes to explain why linking digital identity to physical identity is so important for cyber security. MAIRE uses YubiKeys for authentication both via contactless NFC ‘tap and go’ technology, and by directly inserting the YubiKey into USB ports. This is true not only in offices, but also in engineering plants around the world, as well as employees who are on-the-go or travelling.
“The YubiKey is a passwordless enabler, helping organizations improve their security posture and make life easier for employees.”
A Single YubiKey Unlocking Infinite Use Cases
Over the years since the initial deployment and as technology providers have developed smoother processes for passwordless technology MAIRE’s use of YubiKeys has grown. “We use the YubiKey to access all applications and services used by MAIRE, through single-sign-on (SSO) to Microsoft Entra ID, says Sgarlata. “We also use the YubiKey for passwordless authentication on mobile: it is a truly passwordless technology.
Physical access use cases have also expanded, allowing the YubiKey to truly become a pillar incorporating digital and physical identities: YubiKeys allow access not only to printers, lockers and office gates, but also the office parking lot and are even used to track who has purchased lunch at the company cafeteria. FIDO2 passkeys are used for all passwordless authentication on devices, in conjunction with a PIN for added security and a ‘credit card experience’. Physical access use cases rely on the YubiKeys’ contactless NFC capability, requiring only a simple tap.
“We can use one single device to do everything, without smartphones and without remembering passwords. The YubiKey is all that we need here in our building, and in all our sites around the world.”
Enhancing Security and User Experience
Sgarlata looks back at the implementation of YubiKeys with pride. “The result is an improved security posture, he says, “because passwordless authentication is phishing-resistant. It avoids the possibility that users can forget their password, or that it can be stolen by attackers. The feedback from employees is that it makes life simpler. The only thing they need to remember is to always bring their YubiKey.
Vaghi, whose Support team is responsible for dealing with any YubiKey-related issues, sees the linkage of digital and physical identity as a powerful benefit: “The YubiKey is now another piece of modern infrastructure that is linked to our work life, like a smartphone or uniform. Simply put, we can use one single device to do everything, without having to remember passwords. Eliminating the need to enter passwords many times each day also brings extensive time savings and so provides a powerful productivity boost for the organization.
“We made life simpler for our employees. They don’t need to remember passwords. The only thing they need to remember is to always have their YubiKey with them.”
Toward a Cloud Future: Securing Device-as-a-Service Environments
At MAIRE, satisfaction with a successful project soon leads to questions about what the next innovative step will be. “We are proud right now, says Sgarlata, “but we are always thinking about what to do next, and in the future. We have to remain one step ahead.
Sgarlata’s team have recently begun testing the Microsoft 365 Link PC as they move towards a ‘device-as-a-service’ model. “A user will only need to bring their YubiKey, and they’ll be able to access their device, which is stored in the cloud, says Sgarlata. The first Microsoft 365 Link PCs have already been installed in MAIRE’s shared desk environments, allowing users instant and secure access to their cloud devices.
With YubiKeys already an integral part of working life for MAIRE employees, utilizing them for a device-as-a-service cloud-based model is a natural next step, keeping the enterprise secure from account takeovers, making employees’ lives easier and allowing MAIRE to continue inspiring not only a faster and more innovative energy transition, but a more user-friendly, phishing-resistant world.
“The future will be cloud computing. Every computer on the cloud. A user only needs to bring their YubiKey to access their device.”