Technologies

Yubico's YubiKey

Protect your accounts, go passwordless, and strengthen your multi-factor authentication – all with one simple touch.

The key to strong authentication for your organisation.

Balancing security and usability is a constant and costly challenge.

That challenge only grows when applied to a varied and disparate workforce.

Your employees and partners want easy access to the resources they need to get the job done – reverting to simplistic passwords that are easy to recall across multiple platforms and services.

The result: ‘123456’ continues to be the most used password across the globe (NordPass, 2021).

With YubiKey, you can make access easy for your users and eliminate the risk of account takeovers.

61% of hacking-related breaches involve compromised and weak credentials.

The 2021 Verizon Data Breach Investigations Report

Small but mighty: two-factor, multi-factor, and biometric authentication

Google, Facebook, and the UK government are amongst the thousands of organisations that rely on the YubiKey for simple, secure, and scalable hardware or biometric authentication.

YubiKey helps you:

Manage computers, phones, networks, and millions of online services using one security device
Gain strong, scalable authentication that eliminates account takeovers from phishing attacks
Minimise the cyber risk for employees and remote workers across all systems and devices
Add two-factor, multi-factor and/or biometric authentication – or go passwordless

123456 – How quickly can you count to a security breach?

Passwords, authentication software, and security codes are all vulnerable to modern phishing and man-in-the-middle (MITM) attacks.

Your challenges

Mounting costs

Password recovery, resets, and IT administration fees all add up – costing large enterprises 10s of millions.

Poor productivity

Long-winded multi-factor authentication processes slow you down and reduce your organisation’s output.

Vulnerability

Your passwords, SMS, and mobile apps are increasingly vulnerable to malware and hackers.

Complexity

Secure hardware authentication systems can be complex to roll out, difficult to use, and hard to adopt.

Passwordless for security-more

The YubiKey range combines the highest-level of security with passwordless authentication that will save you time, IT fees, and the headache of managing your account login details.

You’ll benefit from:

Faster access

One, simple device reduces the authentication time for users.

Cost savings

Eliminating password resets cuts support desk costs by up to 90%.

Simplicity

Access nearly 1,000 apps and services from one easy-to-use device.

Robust protection

Compact and durable, Yubikey is water and crush resistant.

Trusted protection

Millions of end users use YubiKey to simplify and secure their logins.

Anytime, anywhere

YubiKey doesn’t need a network connection or batteries – just plug in and go!

Windows Hello for Business and YubiKey work together and complement each other, giving you even more protection. Both provide methods of passwordless authentication, both improve security, and both improve the user experience.

However, with YubiKey, the user credential is portable – which simplifies the enrolment process across different devices. It also means it doesn’t rely on a physical computer as the root of trust (a thumbs up for zero trust scenarios!), whereas Windows Hello for Business is tied to a single device.
Again, YubiKey and Microsoft Authenticator can be used together to complement each other and provide more robust security.

However, YubiKey excels when it comes to phishing resistance. A YubiKey can secure privileged accounts, call centres, shared workstation scenarios, and BYOD restricted environments, where mobile phones – and therefore Microsoft Authenticator – are not acceptable.
You should use both. YubiKey will plug gaps in portability and phishing resistance as covered in the above answers.

Ultimately, by simplifying your security and reducing demands on your IT departments, you are only going to save money in the long term.
Yubico and Microsoft, along with members of the FIDO Alliance and the World Wide Web Consortium (W3C), are lead authors of passwordless logins that are enabled by FIDO2 and WebAuthn authentication protocols.
To achieve strong authentication, you need to combine two or more authentication factors.

With the YubiKey, you will combine something you have (a security key) and something you are (biometrics) or know (PIN).

A PIN is fundamentally different from a password. A password is known by you and the remote server. It must be secured throughout the complete authentication sequence, as it’s vulnerable to attack vectors like password compromise, malware, password attacks, phishing, and MitM attacks.

FIDO2 leverages asymmetric cryptography. The PIN is not shared, it is stored locally in the secure element of the YubiKey, and it is only used to unlock the security key.
The passwordless feature is available in all SKUs of Azure AD, which is bundled with Office 365 and Microsoft 365. You just need an updated WebAuthn compatible browser for web authentication.

For workstation login, steps need to be taken to make sure the scenario is enabled but closely matches some of the requirements of Windows Hello for Business.

There is no official FIDO2 support for workstation login on Mac from Microsoft. Should your organisation want to extend the capabilities of

Active Directory for workstation login on Mac, with the option to have the same user experience as with FIDO2 passwordless, you’ll need to refer to official Yubico and Apple documentation or contact Yubico.

Web authentication to applications and services through the browser is supported on Mac with YubiKeys.
25 – but carefully consider which accounts are stored onboard a single device.

For Windows 10 workstation login, if multiple Azure AD credentials are stored on the YubiKey, only one credential from a given Azure AD tenant can be used. The last Azure AD credential registered on the YubiKey will be used for workstation login.
Administrators can remove security keys on behalf of a user through the ‘user authentication methods experience’ in Azure AD. An administrator must enable this experience for themselves.

Additionally, there are MS Graph API endpoints (fido2AuthenticationMethod) and PowerShell cmdlets to help manage user security keys. And users can use the GUI to remove their own keys.
We recommend you register two YubiKeys.

If this is not possible, the Microsoft authenticator application can be used to authenticate as a backup. Once signed-in to your account, you can remove the YubiKey so nobody else can use it and register a new one.

Your organisation’s helpdesk/administrators can define processes aligned to your internal processes.