Support Operation Winter SHIELD: Bolster Your Cyber Resiliency with Yubico

The FBI identifies MFA as the single most important step in cyber defense. However, not all MFA is equal. Legacy methods like SMS codes and push notifications are vulnerable to “MFA fatigue” and adversary-in-the-middle attacks.

• The Recommendation: Deploy FIDO2 compliant security keys or device-bound passkeys for authentication and remote access.
• The YubiKey Solution: YubiKeys are hardware-based FIDO2 security keys that are inherently phishing-resistant. Unlike SMS or push notifications, they require physical touch and cannot be intercepted by remote attackers.

With the rise of remote work and increased reliance on third-party vendors, VPNs and RDP instances are primary targets for ransomware actors. The FBI urges organizations to secure all remote entry points.

• The Recommendation: Require strong authentication and least-privilege access for third parties with network or data access.
• The YubiKey Solution: By providing YubiKeys to contractors and vendors, you ensure that third-party access is secured with the same high-standard, phish-resistant hardware used internally, closing the “least-protected vendor” gap.

Administrative accounts are the “keys to the kingdom.” The FBI recommends strict controls and hardware-based isolation for these users.

• The Recommendation: Use separate admin accounts and require access from secured devices.
• The YubiKey Solution: YubiKeys allow for “Step-up Authentication.” You can require a physical YubiKey tap specifically for administrative actions, ensuring that even if a standard user account is compromised, the attacker cannot escalate privileges without the physical hardware key.

Threat actors often use legitimate system tools to move laterally through a network. Stopping them requires strong identity verification at every lateral jump.

• The Recommendation: Monitor for malicious use of legitimate software, and enforce strict identity verification to ensure legitimate system tools aren’t being used for unauthorized lateral movement.
• The YubiKey Solution: By implementing YubiKey-backed authentication for internal tool access and SSH logins, you break the chain of lateral movement. Even if an attacker gains a foothold, they cannot escalate privileges or move to other servers without the physical security key.

Passwords are a single point of failure that rely on human memory and are easily stolen, guessed, or bypassed by hackers.

• The Recommendation: Move away from weak passwords toward long, complex passphrases—or better yet, passwordless environments.
• The YubiKey Solution: Go entirely passwordless. With a YubiKey, users can sign into their computers and cloud applications using the key + a PIN. This eliminates the risks of password reuse, credential stuffing, and the burden of password resets.