The need for two-factor identification is imminent with the rise of office employees working remotely and traveling—often leaving their laptops in cars, trains or subways. In this post, Justin Millett, IT Analyst at Carris Reels, gives an overview of why they looked into Yubico’s YubiKey, how YubiKey compares to other hardware authentication devices on the market and gives us a quick review of YubiKey.
Why We Looked at Two-Factor Authentication for Workstations
We started looking into hardware authentication for usability reasons. People in our corporate office are traveling quite often and we needed to find a scanning device for two-factor authentication. That’s when I found the YubiKey, which works on NFC. Essentially, we’re looking to prevent stolen devices from being abused. However it’s not the only way we protect ourselves - even with YubiKey the topic of hard drive encryption for laptops remains; which is why we are looking at services like BitLocker.
Right now the workstation logon we use is Connect Wise Automate, which is our endpoint solution for patching and management for Windows updates—but that doesn’t interfere with the YubiKey at all.
Hardware Authentication Compared to Traditional 2FA Solutions
Traditional two-factor authentication would have been limited to virtual environments and we wanted to include the doors as well, so now we have one credential for the physical and virtual world. Since the YubiKey is also NFC based, that works well with NFC based door readers.
Roll Out Plan for YubiKey as Two-Factor Logon
We’ll roll it out to traveling people first on an as-needed basis. Later, we’ll expand that to the desktop workstations. For manufacturing, they are using regular logon, but we might want to start using regular cards to authenticate.
The YubiKeys are managed through their PIV (Privilege and Identification Card), you have to plug in the PIN and it’s stored locally. It would be pretty interesting if you could manage them via web app, which is a feature we are currently missing.
YubiKey vs. Google Titan vs. RSA Tokens
I have the Google Titan for my personal account, but it doesn’t work outside of Google. We also looked at RSA hardware tokens, which come in packs of 10; however, at $500 per pack, they’re very expensive. RSA tokens are interesting because they crate a new code every minute, but the aesthetic of them is pretty big and rugged, which we don’t like.
We like the look of the YubiKey and it had great reviews. It is also capable of performing many more functions than we currently use it for, like OTP (One Time Passwords). The only problem is the YubiKey doesn’t work with Office 365 for email encryption; you currently have to re-login since we use encrypted email.
YubiKey as NFC Credential for Your Door
Our overall goal is to find a seamless solution for door access as one factor and two factor for workstations. My keychain now contains more fobs than keys—I have an RFID token for my school where I train people, then the Google Titan for personal use and the YubiKey for work. I’m curious to see if this is really the keychain of the future or if anything else comes up soon!