The password is arguably the most popular and most common security measure available and yet can be the most vulnerable if not managed securely. Passwords, for example, do not provide a reliable identity check, verifying that the person using the password is the owner. A hacker who manages to steal your password can directly access your account leaving the business open to theft of highly sensitive data. The security of an account is based solely on the strength of the password; without any proper complexity and proper education, a user’s password may not be strong enough to evade hacking.
Passwords need to be supplemented with a form of an identity verification process, and multi-factor authentication is the perfect option.
Passwords need to be supplemented with a form of an identity verification process, MFA is the perfect option!
What is Multifactor Authentication
Multi-factor authentication (MFA) is the process of identifying an online user by validating two (two-factor) or more (multi-factor) claims presented by the user, where each factor is a different form/device, something the user knows such as a password and something the user has such as a mobile device, and/or something the user is, for example, fingerprint.
The principle of MFA is that there is no perfect authentication factor. Any one factor implemented has its strength and weakness, additional factors compensate for the weakness of the others.
The principle of MFA is that there is no perfect authentication factor. Any one factor compensates for the weakness of the others.
There are considerable benefits for the use of multi-factor authentication in your authentication process, there are however a considerable array of MFA options out there, Duo security, Google Authenticator, RSA SecureID, determining the right fit requires some research and understanding whether the application you are considering provides support for MFA and what type of MFA products. To give you an idea, this, along with other posts in the series, provides a brief overview of some of the more popular on the market. This article covers one of the leaders in the market, YubiKey from Yubico.
What is a YubiKey
YubiKey is a piece of hardware that can verify the user’s identity with a small passive USB device which when plugged into the USB port of any PC, presents itself as a standard USB HID keyboard. On top is a button that when pressed emits a 44 character encrypted string sent to any compatible application, enabling the user to log in securely.
YubiKey adheres to an industry standard called Universal 2nd Factor, or U2F, the standard hardware-based authentication, making it extremely difficult to compromise. Also being a small, physical object, for a hacker to steal your identity not only will they need your password and any other factor you have in between, but will also need the physical YubiKey hanging from your keyring.
For a hacker to steal your identity not only will they need your password but also the physical YubiKey hanging from your keyring
Getting Started
With your YubiKey to hand, navigate to the YubiKey website and choose the service you are using, Facebook, Google, LogonBox. YubiKey supports a plethora of applications and services, for example, LogonBox password self-service supports YubiKey to secure user identity during password management and single sign-on, you can find the Yubkikey with LogonBox guide on their supported applications page.
With everything configured place your YubiKey into your USB port, wait for the blinking light, and you’re ready to use it. At login, depending on where you have added the YubiKey into your authentication flow, you are asked to enter the key, press the gold disk in the middle of the key, and you’re logged in.
Benefits of YubiKey
- As with most hardware-factor authentication devices they help mitigate identity theft and phishing attacks, and YubiKey is no exception.
- It has the convenience of being a tiny, waterproof USB key, that can be either clipped to your keyring or even worn as a necklace, making it much more convenient than a clunky mobile phone.
- Due to its size, it can decrease login times, according to YubiKey, “statistics showed that the login process was four times faster compared to Google Authenticator”