Want to improve the security of your accounts with hardware-based multi factor authentication (MFA)? Hardware tokens such as the YubiKey are excellent tools for protecting your accounts against unauthorized access.
In this article you will learn what YubiKeys are, why you should use them, and the best practices for getting started with YubiKeys. You will also learn how to use YubiKeys when USB ports are blocked in your network so you can reduce USB security risks without blocking hardware tokens.Table of Contents
YubiKeys are hardware-based U2F security keys that are manufactured by Yubico. YubiKeys and other hardware tokens are used to secure accounts with multifactor authentication (MFA).
While MFA can be accomplished with other forms of authentication such as a One Time Password (OTP), FIDO-compliant tokens such as YubiKeys provide an added layer of security by requiring a user to have access to a unique physical device to authenticate.
Requiring physical access to a piece of hardware prevents attackers from remotely infiltrating accounts as they will need more than simply a username and password to gain access.
Universal 2nd Factor (FIDO U2F) is a form of asymmetric cryptographic authentication that is compatible with security keys. It leverages your web browser to verify if you are logging into the intended domain and rejects the authentication if it detects that the credentials are being used on an unintended site.
Multifactor authentication (MFA) is critical for reducing opportunities for threat actors to breach accounts. For business use cases where highly sensitive data such as electronic health records (EHR) or personally identifiable information (PII) are concerned, the improved security of a hardware token such as a YubiKey is highly desirable.
Hardware authentication tokens are far more secure than other MFA methods like SMS messages or knowledge-based security questions. In fact, Google entirely neutralized phishing attacks when they had their 85,000+ employees migrate to using hardware security keys for MFA.
Despite the critical importance of hardening authentication security, a mere 28% of respondents surveyed by Duo in 2017 took advantage of the added layer of security provided by MFA.
While passwords are ubiquitous, they simply aren’t sufficient when used alone.
Fortunately, general awareness about the risks of password-based authentication is spreading. Gartner predicts that by 2022 we can expect 60% of large and global enterprises and 90% of mid-size enterprises to implement passwordless methods in more than 50% of use cases.
Yubico offers a diverse range of hardware tokens, the prices of which vary from ~$25-70 USD per device.
Where the best practice is to have two YubiKeys per person to prevent being locked out of your accounts when a YubiKey is lost, the investment needed to get started can add up quickly.
Naturally, businesses ordering in bulk can reduce the cost per unit but it is an investment nonetheless. If you would like to use a YubiKey to protect your accounts, Yubico offers a convenient quiz to help you narrow down your options.
Yes, if you use AccessPatrol to block USB devices it will still allow YubiKeys to be used on your computers. YubiKeys are HID composite devices; AccessPatrol’s USB blocker will not interfere with your YubiKey deployment.
If you are using hardware tokens that identify themselves as USB devices, there are methods you can use to exempt them from AccessPatrol’s USB device control policies.
These methods will also allow you to:
No, blocking USB storage devices with AccessPatrol should not interfere with hardware tokens such as the YubiKey. In the event that AccessPatrol restricts the use of hardware tokens, Personal Identity Verification (PIV) smart cards, or other devices you can easily exempt them using the Allow List.
AccessPatrol’s device control policies allow you to block portable storage hardware such as flash drives, external hard drives, and SD/MM cards without interfering with USB human interface devices (HIDs) such as hardware tokens, mice, and keyboards.
Based on how AccessPatrol is designed most hardware authentication devices should continue to function as normal when USB storage device permissions are set to “No Access” or “Read Only” in your AccessPatrol policies.
For more tutorials and information, visit the AccessPatrol knowledge base.
|Device Class||Devices||Access Permissions|
|Storage Devices||USB||Full / Read only / No access|
|DVD /CD||Full / Read only / No access|
|Floppy||Full / Read only / No access|
|Tape||Full / Read only / No access|
|External Hard drive||Full / Read only / No access|
|Firewire||Full / Read only / No access|
|SD Card||Full / Read only / No access|
|MM Card||Full / Read only / No access|
|Wireless Devices||Bluetooth||Full / No access|
|Infrared||Full / No access|
|Wifi||Full / No access|
|Communication Ports||Serial||Full / No access|
|Parallel||Full / No access|
|Imaging Devices||Scanners||Full / No access|
|Cameras, Webcams & Others||Full / No access|
|Others||Printers||Full / No access|
|USB Ethernet Adapter||Full / No access|
|Sound Cards||Full / No access|
|Portable Devices (iPhones, Mobiles)||Full / No access|
|Network Share||Full / No access|
In the event that USB devices you would like to allow are being blocked by AccessPatrol you can use one of these two methods to exempt them from your USB security policies.
For most use cases the Allow List will be your best option as it will ensure that any authorized users on your network will be able to use the exempted USB devices. The Access Code Generator is best used for special use-cases where you want to provide temporary time-limited access to peripheral devices.
With AccessPatrol’s Allowed List you can block all USB devices except specific company USB devices. If AccessPatrol is blocking USB devices that you would like to exempt from your USB security policy you can add them to the allowed list by following these steps.
Device whitelisting is configured on a per-folder basis. Devices that are added to the allowed list will apply to any computers that are in the specified folder. AccessPatrol’s allowed list supports USBs, External Hard drives, Imaging devices, and portable devices.
Note: Allowing a device by serial number is fully compatible with Windows 10. For Windows 7 or 8, some newer models of USB devices may not support this feature. Instead of allowing by serial number, it will allow all devices from the same vendor and model.
AccessPatrol can grant temporary access to blocked devices using it’s Access Code Generator.
Authorized Operator accounts can use the access code generator to produce a single-use code that provides a specific user or computer with a set duration where devices will no longer be blocked by AccessPatrol.
The access code is unique to each computer/user that you generate for and the computers do not need to be connected to the internet to use it. So long as the CurrentWare client is installed on the employee’s computer they can be provided with temporary access to USB devices.
If you would like to prevent your users from using USB ports for mass storage without blocking hardware authenticators, keyboards, mice, and other desired USB devices you can do that with AccessPatrol.
By default AccessPatrol distinguishes between USB storage devices and HID peripherals such as keyboards and mice; setting USB permissions to “Read Only” or “No Access” will block USB storage devices while allowing YubiKeys and other HID devices.
After following these steps you will be blocking USB mass storage devices while still allowing YubiKeys, keyboards and mice to function.
YubiKeys are compatible with a diverse range of services, though much like other hardware authenticators it is not universally supported. For the most up-to-date list of compatible accounts, check out the Works with YubiKey catalog.
You can also visit DongleAuth.info to find out what websites support One Time Passwords (OTP) or FIDO2 U2F/Web Authentication (WebAuthn).
If you would like an introduction to a practical use case for a YubiKey, this video tutorial from Tristan Bolton breaks down how you can lock down your Gmail account using a physical security token such as a YubiKeys.
The key weak point with YubiKeys is that you can potentially be locked out of your accounts if your YubiKey is ever lost, damaged, or stolen. To mitigate against this you can register two YubiKeys for each of your accounts; keep one as your day-to-day YubiKey and store the other in a secure location such as a safety deposit box.
To make the transition from your primary YubiKey to your secondary YubiKey easier you should keep a secure list of all the websites that you’ve registered the YubiKey to. If you ever lose your primary YubiKey you’ll have a convenient reference of all of the accounts you need to update.
A chain is only as strong as its weakest link. If you’re investing in a YubiKey or similar hardware authentication token you need to disable less secure MFA/2FA options to actually benefit from the enhanced security provided.
If you use a YubiKey on an account that also has less secure options such as SMS codes (which are susceptible to SIM Swapping attacks) or One-time Passwords (which can be phished), your overall security level will be that of the weakest MFA option you have enabled.
After you add your desired MFA/2FA method to an account you will likely be presented with backup (recovery) codes that can only be used once.
These codes are designed as a backup authentication method to regain access to your account should you ever lose access to your YubiKey or authentication app.
To keep them secure your backup codes should be kept in a secure location such as an encrypted USB device or a hardened password manager. As an added layer of security you can store your encrypted USB device in a secure offsite location such as a safety deposit box.
A password manager is an excellent way to prevent the reuse of passwords. These tools will help you generate unique and secure passwords that are stored within an encrypted application. The application itself is protected with a “master password” that is strong, easy to remember but hard to guess, and only ever used for the password manager.
To further protect your passwords you can require the use of your YubiKey to gain access to your password vault. This ensures that your password manager remains secure even if your master password is phished or captured by a computer spy software’s keylogger.
You may also consider storing your one-time passwords in your password manager, though you must ensure that the password manager you choose is secure; in the event that the service is breached or the company opts to maliciously reconfigure their service to capture passwords your accounts will be in danger.
Any service that is compromised can be used to escalate an attack. Keeping all accounts as secure as possible will maximize the security posture of yourself and your organization.
The very first thing you should secure with your YubiKey is your email service provider as they will be the backup recovery method used by the majority of websites.
After that, you should check out the Works with YubiKey catalog to find out what you can secure with your Yubikey. You can also visit DongleAuth.info to find out what websites support One Time Passwords (OTP) or FIDO2 U2F/Web Authentication (WebAuthn).
Using hardware security tokens such as YubiKeys is an excellent way to protect your business against phishing attacks, unauthorized access to accounts, and other common authentication security threats.
If you would like to use YubiKeys when USB ports are blocked you can use data loss prevention software such as AccessPatrol to block all USB devices except for the YubiKey and other approved devices.
To learn more about authentication security, YubiKeys, and cybersecurity, check out the resources down below.
This guide from Yubico will show you how to set up your YubiKey as a form of two-factor authentication with the supported service you wish to secure. It includes tutorials for all of their offerings, making it a great resource for implementing your YubiKey with your accounts.
This excellent beginners guide from Paul Stamatiou shows you how to stay safe online and prevent phishing with FIDO2, WebAuthn and security keys. It’s just technical enough to clearly communicate the advantages and disadvantages of YubiKeys without being so detailed as to be intimidating for new hardware key users.
The official resources page from Yubico includes FAQs, blog posts, white papers and other resources for YubiKey users and developers. This is a great resource for companies that would like to implement security keys at-scale.
The YubiKey subreddit is a great resource for community discussion, frequently asked questions, and industry news related to YubiKeys. If you’re not already familiar with Reddit, it’s a social networking/forum website where users congregate around various “subreddits” on niche topics.
We regularly publish new articles for businesses that want to improve their security and productivity. Topics include cybersecurity, remote workforce management, employee productivity, and updates about CurrentWare’s security software.