Ping Identity | Yubico
Strong phishing-resistant MFA for compliance with the EO
The shift to Zero Trust security
In May of 2021, the White House issued Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, outlining new expectations & guidelines for zero trust and phishing-resistant multi-factor authentication (MFA) for federal agencies as well as their suppliers and partners.
Passwords, SMS, and other One-Time Passwords (OTP) are commonly used MFA solution, but they are not phishing-resistant and are highly susceptible to cyber attacks. The Federal Government’s policy requires the use of authenticators compliant with Federal Information Processing Standards (FIPS) 140-2, which includes PIV and CAC, and authenticators that meet the technical requirements published in NIST SP 800-63B.
The federal Zero Trust architecture (ZTA) strategy, as outlined in the OMB memo M-22-09, requires federal agencies, staff, contractors, and partners to use phishing-resistant MFA to reduce the threat from sophisticated attacks. Phishing-resistant MFA refers to an authentication process that is immune to attackers intercepting or even tricking users into revealing access information.
A seamless journey to Zero Trust with Yubico
and Ping Identity
Yubico and Ping Identity are globally recognized leaders in cybersecurity assisting public and private organizations on their journey to Zero Trust. Both are FIDO Alliance members working to set security standards.
Yubico offers the YubiKey—a FIPS 140-2 validated hardware security key proven to stop 100% of account takeovers in independent research. Ping Identity users, leveraging PingFederate, can take advantage of native support for the YubiKey for immediate compliance with the authentication requirements of OMB M-22-09 in a Zero Trust framework:
- FIPS 140-2 validated (overall level 1 and level 2, physical security level 3)
- Validated to NIST SP 800-63-3 Authenticator Assurance Level (AAL) 3 requirements
With Ping Identity and the YubiKey, government agencies can simply deploy federally validated, hardware-backed MFA across multiple applications and operating systems, as well as modern devices, with single-sign-on (SSO) capabilities. With certificate-based authentication, a user can leverage the YubiKey as a smart card with PingFederate to access web applications like Office 365. Yubico, Ping Identity, and EntryPoint have also teamed up to offer a no-code joint solution to enable phishing-resistant Derived FIDO2 Credentials along with identity proofing and centralized identity management.
The easy and highly-secure solution has been tested and proven in the most security conscious government and enterprise environments. Global organizations such as PayPal, Geisinger Medical Center, and Capital One trust Ping Identity and YubiKey to protect their users.
Integrate your solution with YubiKey and PingFederate
Phishing-resistant MFA for your journey
to Zero Trust
With Ping Identity and the YubiKey, government agencies can simply deploy federally validated, hardware-backed MFA across multiple applications and operating systems, as well as modern devices, with single-sign-on (SSO) capabilities. With certificate-based authentication, a user can leverage the YubiKey as a smart card with PingFederate to access web applications like Office 365. Yubico, Ping Identity, and EntryPoint have also teamed up to offer a no-code joint solution to enable phishing-resistant Derived FIDO2 Credentials along with identity proofing and centralized identity management.
FIDO2/WebAuthn
FIDO2 Passwordless via supported browser or desktop login
Certificate-based Authentication
With certificate-based authentication, a user can leverage their YubiKey as a smart card to access PingFederate protected applications.
Derived FIDO2 Credentials
Yubico, Ping Identity, and EntryPoint offer a no-code joint solution to enable phishing-resistant Derived FIDO2 Credentials. A no-code joint solution, YubiKeys can be used to authenticate with Ping Identity to provide modern phishing- resistant MFA based on the FIDO2 and be compliant with the EO.
Stronger together
YubiKey and Ping Identity together offer the best of both worlds—modern, phishing-resistant MFA to protect against account takeovers, as well as a simplified user experience. YubiKeys are also durable, don’t require batteries or need a cellular connection, and are water-resistant and crush-proof. Here are some additional benefits to using YubiKeys with PingFederate together:
Enhanced security posture with streamlined deployment
PingFederate and the YubiKey add strong authentication to identity platforms to bring a complete, easy-to-scale offering to organizations of all sizes, supported by YubiEnterprise subscription and delivery options.
Superior authentication
Ping Identity works with YubiKey 5 FIPS Series, certified FIPS 140-2 validated security keys that meet the highest level of authenticator assurance (AAL3) of NIST SP800-63B guidelines.
Convenient login for higher employee productivity
Organization can enhance security and simplify logins with PingFederate’s consistent SSO experience and the YubiKey authentication, reducing support calls and downtime.
Supply chain and customer access
Provide federated support to partners, 3rd party entities and even customers to prevent breaches.
Secure privileged users, mobile-restricted environments
Improve security and productivity for privileged users or those sharing workstations and provide support for remote workers, contractors, air-gapped/isolated networks, cloud services, high-risk military scenarios, and mobile-restricted environments.
Attestation support
Yubico and Ping Identity work together with EntryPoint’s credential management system and identity binding to provide an off-the-shelf no-code solution that confirms Derived FIDO2 Credentials consistent with NIST SP 800-157 and 800-79-2.
Adaptive and risk-based authentication
Administrators can define advanced authentication, pairing and device posture policies to trigger intelligent step-up MFA or to accept trust within geo-fenced or other defined scenarios.
Enable the bridge to passwordless authentication
Yubico and Ping Identity work together to meet organizations where they are on their journey to passwordless, seamlessly supporting legacy infrastructures with multi-protocol flexibility as well as modern, cloud-based systems that leverage the latest FIDO2/WebAuthn standards.
Derived FIDO2 Credentials for implementing Zero Trust architecture
In addition to protecting government agencies and employees, the EO mandates that organizations working with the federal government also have phishing-resistant authentication for their suppliers and partners. YubiKeys are a perfect solution as they support both types of phishing-resistant authentication—Certificates and FIDO2. Ping Identity, EntryPoint and YubiKeys enable organizations to deploy BYOD, work from home, and first-line worker scenarios by deploying a YubiKey without the need for external hardware.
Are you impacted by EO 14028?
Some organizations may believe that the Executive Order is focused towards federal agencies, but it has critical implications for many regulated and private sector industries such as defense, supply chain, healthcare, technology, and financial services. In March 2022, President Biden called on both state and local governments and the private sector to step up cybersecurity defenses in line with EO 14028 with all urgency, starting with “the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system…”
Zero Trust is the new regulatory minimum for federal agencies. What does that mean for authentication?
YubiKeys aid in EO compliance
Implement YubiKeys with help from Yubico
Get started
Find the right YubiKey
Contact our sales team for a personalized assessment of your company’s needs.