Passwords alone are no longer sufficient protection against contemporary cyber threats. In light of this, the vast majority of secure digital services (from corporate environments to banking applications) now require multi-factor authentication (MFA) for access. Going further still, many organisations are actively moving towards completely passwordless access to maximise their security.
What is a YubiKey?
Produced by Yubico, a YubiKey is a small hardware device with an in-built unique code that helps to make phish-resistant multi-factor authentication (MFA) as simple and streamlined as possible.
In order for authentication to be multi-factor, it must comprise at least two different security factors from the three factors of: Something You Know (a password or memorable phrase), Something You Have (a YubiKey or one-time passcode) and Something You Are (a biometric characteristic). A YubiKey meets this criteria by combining Something You Know (usually a password or a pin code) with Something You Have—your YubiKey device and its unique code.
Deploying YubiKey MFA across organisations is relatively simple, no matter your device catalogue. YubiKeys support a wide range of authentication protocols and are available with numerous connectors to make secure access possible, including USB-A, USB-C, Lightning, and NFC.
What is Phish-Resistant MFA?
While traditional methods of MFA still provide additional depth to your defence, authentication apps and SMS codes are unfortunately vulnerable to phishing, and when security is paramount, it is worth exploring the emerging alternatives.
In the case of adversary-in-the-middle (AiTM) or man-in-the-middle (MiTM) attacks such as Evilgynx, attackers proxy an organisation’s legitimate sign-in page to an unsuspecting user who then enters their secure login information. The threat actor is then able to intercept this sensitive traffic and duplicate the tokens produced for their own malicious use.
It’s here that traditional forms of MFA can let security down. However, physical hardware keys such as YubiKeys are resistant to these phishing methods as they are not reliant on a digital interface and handle all authentication offline. For users keen to achieve phish-resistant MFA, a YubiKey is a worthwhile step towards greater security.
What Are the Benefits of a YubiKey?
Simplified Migration
Because a YubiKey houses its authentication code natively, it is not tied to a particular device in the way that an authentication app might be, which would necessitate a new setup on each instance of device migration.
If a user is utilising a YubiKey to access their corporate laptop and they then change to a new one, they are able to simply use their existing key on the new device for simple setup and minimal input from the tech team.
Challenging to Hack
With such a limited attack surface, threat actors are far less likely to be able to access, hack, or takeover a YubiKey in the way they might an app. In the context of phish-resistant MFA, this point of difference really sets devices like YubiKeys apart and helps to meaningfully increase security without the need for invasive adjustments to processes.
Convenient Access
Rather than requiring users to make use their own devices for MFA, or distributing a corporate handset to do the same, a YubiKey is a comparatively low-cost alternative that doesn’t require a user to interact with another device, manually replicate a code or copy and paste a number to access a secure environment. Rather, they press a button on their YubiKey or connect it to their computer, and access is immediate.
For more information on YubiKeys, or to place an order for your organisation, please contact us and a member of our account management team will be in touch to discuss your requirements.
