The session features host and Mobile Mentor Founder, Denis O’Shea, Yubico Solutions Engineer, Shakeel Aziz, Microsoft Cloud Endpoint Technical Specialist, Nick Cordova, and Mobile Mentor Digital Identity Lead, Demetrius Cooper.
During the conversation, the group discusses use cases of security keys and how they can benefit businesses.
Read below for a synopsis of this conversation on security keys for passwordless.
What are the different form factors, use cases, and manners of using security keys?
Shakeel Aziz: So interesting note – even though Microsoft doesn’t make security keys, they certainly use security keys. We, at Yubico, are in a lot of the big tech partner environments, as well as highly regulated environments, your standard consumer, and commercial markets. We’ve talked about multiple MFA methods that are available to us. Windows Hello for Business is great for dedicated devices. Whenever we talk about what multifactor authentication methods or authentication methods should or should you use for your organization, the answer could be multiple things. You could have dedicated users who have dedicated devices and they have a TPM built that’s compatible with a camera that’s compatible to do Windows Hello for Business, then that is something you could certainly do. It is a FIDO2-certified authenticator. It provides strong cryptographically backed authentication.
Then there are YubiKeys. What we do is essentially make hardware security keys that are purpose-built to be an authenticator. Where security keys differ from other forms of multi-factor authentication is that they’re specifically built to perform authentication – so the attack vector is either extremely tiny or even nonexistent because that’s all it’s built and designed to do. Security keys are great as a cross-platform authenticator. If you want to be able to authenticate using the same security key across multiple devices, you can do that. You can log in as a user on your workstation and authenticate using something like a security key or YubiKey. You can unplug that and use it on your mobile device to log in to a consumer service such as LastPass.
It’s the versatility of the security key that makes it a security method that fits certain use cases. We deal with a variety of different use cases from protecting highly privileged accounts. For example, organizations may have standardized Windows Hello for Business for their executive users, may have standardized the authenticator app for all their standard users, and then require high-privilege users to use a YubiKey or a security key. The reason for that is an administrator is logging into multiple systems and multiple services. It provides them the additional flexibility to do so.
The other use case that we see quite a bit is highly regulated environments where a mobile phone is restricted – Instances where you can’t take a mobile phone into a specific area for security reasons or, something like a shop floor where you don’t want a worker to be distracted using a mobile device. That’s another area that security keys are a perfect fit for, where an employee can just come into grab a security key off the shelf or take it home with them. They can walk in into the shared workstation that they’re authenticating and plug in the key, enter a pin, and they’re authenticated.
If we talk about that use case in greater detail, a passwordless flow works well with users that may not be very technology savvy. When users are rotating passwords and creating new passwords every 90 days, they forget them. They have to call the Help Desk to get their passwords to reset. That adds a burden on the Help Desk. I’ve heard numbers ranging from $25 a call to $100 per call for a password reset. Self-service password reset tools bring that overhead down a bit. But it’s so much easier if a user can remember a pin like he does his ATM card, and never have to change it because pins don’t require complexity and rotation and some of those password control rules that we’ve historically implemented.
We’ve seen kind of a variety of use cases around some of those specific ones that we just mentioned. , The ultimate use case is a security incident, and a user was phished. And now the organization is taking the next step and moving towards Phish resistant authentication. That’s what Yubico has been working on and is a pioneer of the standard. When we get into those conversations with those customers, they want to be able to have Phish resistant authentication for every user.
Our keys themselves also come in multiple flavors. For example, our YubiKey five series is a multi-protocol key. it’s great for organizations that have legacy infrastructure, modern infrastructure, or a combination of both or are in the middle of a passwordless journey where they could use the same key to perform two-factor authentication using a TOTP code. They can use it to log in to Office 365 passwordless. We like to say that we can meet the customer wherever they are in their journey. That’s what I think makes the YubiKey as a special tool. Then we have specific keys.
If you’re only going to use Office 365 as your primary use case, we have a key that just functions as a FIDO2 key. That is very common in the educational space. You have faculty, staff, and maybe even students that are only going to log in to Microsoft 365. They’re not going to need to log into any other type of service. We offer them a security key that is half the price of a standard five-series key.