The key to strong authentication for your organisation.
Balancing security and usability is a constant and costly challenge.
That challenge only grows when applied to a varied and disparate workforce.
Your employees and partners want easy access to the resources they need to get the job done – reverting to simplistic passwords that are easy to recall across multiple platforms and services.
The result: ‘123456’ continues to be the most used password across the globe (NordPass, 2021).
With YubiKey, you can make access easy for your users and eliminate the risk of account takeovers.
61% of hacking-related breaches involve compromised and weak credentials.
The 2021 Verizon Data Breach Investigations Report
Small but mighty: two-factor, multi-factor, and biometric authentication
Google, Facebook, and the UK government are amongst the thousands of organisations that rely on the YubiKey for simple, secure, and scalable hardware or biometric authentication.
YubiKey helps you:
Manage computers, phones, networks, and millions of online services using one security device
Gain strong, scalable authentication that eliminates account takeovers from phishing attacks
Minimise the cyber risk for employees and remote workers across all systems and devices
Add two-factor, multi-factor and/or biometric authentication – or go passwordless
123456 – How quickly can you count to a security breach?
Passwords, authentication software, and security codes are all vulnerable to modern phishing and man-in-the-middle (MITM) attacks.
Password recovery, resets, and IT administration fees all add up – costing large enterprises 10s of millions.
Long-winded multi-factor authentication processes slow you down and reduce your organisation’s output.
Your passwords, SMS, and mobile apps are increasingly vulnerable to malware and hackers.
Secure hardware authentication systems can be complex to roll out, difficult to use, and hard to adopt.
Passwordless for security-more
You’ll benefit from:
Windows Hello for Business and YubiKey work together and complement each other, giving you even more protection. Both provide methods of passwordless authentication, both improve security, and both improve the user experience.
However, with YubiKey, the user credential is portable – which simplifies the enrolment process across different devices. It also means it doesn’t rely on a physical computer as the root of trust (a thumbs up for zero trust scenarios!), whereas Windows Hello for Business is tied to a single device.
Again, YubiKey and Microsoft Authenticator can be used together to complement each other and provide more robust security.
However, YubiKey excels when it comes to phishing resistance. A YubiKey can secure privileged accounts, call centres, shared workstation scenarios, and BYOD restricted environments, where mobile phones – and therefore Microsoft Authenticator – are not acceptable.
You should use both. YubiKey will plug gaps in portability and phishing resistance as covered in the above answers.
Ultimately, by simplifying your security and reducing demands on your IT departments, you are only going to save money in the long term.
Yubico and Microsoft, along with members of the FIDO Alliance and the World Wide Web Consortium (W3C), are lead authors of passwordless logins that are enabled by FIDO2 and WebAuthn authentication protocols.
To achieve strong authentication, you need to combine two or more authentication factors.
With the YubiKey, you will combine something you have (a security key) and something you are (biometrics) or know (PIN).
A PIN is fundamentally different from a password. A password is known by you and the remote server. It must be secured throughout the complete authentication sequence, as it’s vulnerable to attack vectors like password compromise, malware, password attacks, phishing, and MitM attacks.
FIDO2 leverages asymmetric cryptography. The PIN is not shared, it is stored locally in the secure element of the YubiKey, and it is only used to unlock the security key.
The passwordless feature is available in all SKUs of Azure AD, which is bundled with Office 365 and Microsoft 365. You just need an updated WebAuthn compatible browser for web authentication.
For workstation login, steps need to be taken to make sure the scenario is enabled but closely matches some of the requirements of Windows Hello for Business.
There is no official FIDO2 support for workstation login on Mac from Microsoft. Should your organisation want to extend the capabilities of
Active Directory for workstation login on Mac, with the option to have the same user experience as with FIDO2 passwordless, you’ll need to refer to official Yubico and Apple documentation or contact Yubico.
Web authentication to applications and services through the browser is supported on Mac with YubiKeys.
25 – but carefully consider which accounts are stored onboard a single device.
For Windows 10 workstation login, if multiple Azure AD credentials are stored on the YubiKey, only one credential from a given Azure AD tenant can be used. The last Azure AD credential registered on the YubiKey will be used for workstation login.
Administrators can remove security keys on behalf of a user through the ‘user authentication methods experience’ in Azure AD. An administrator must enable this experience for themselves.
Additionally, there are MS Graph API endpoints (fido2AuthenticationMethod) and PowerShell cmdlets to help manage user security keys. And users can use the GUI to remove their own keys.
We recommend you register two YubiKeys.
If this is not possible, the Microsoft authenticator application can be used to authenticate as a backup. Once signed-in to your account, you can remove the YubiKey so nobody else can use it and register a new one.
Your organisation’s helpdesk/administrators can define processes aligned to your internal processes.
Sign up for great content and exclusive invites
Subscribe to the Kocho mailing list if you want:
- Demos of the latest Microsoft tech
- Invites to exclusive events and webinars
- Resources that make your job easier
Great content and resources
We’re here to help you on your journey towards becoming greater.
Get in touch to find out how.