These Four Stories Show Why YubiKey Shouldn't Be Your First—or Only—MFA Solution - Plurilock (2024)

A key part of our business at Plurilock™ involves helping companies to move beyond the multi-factor authentication infrastructure that they already have—and that they are often not yet entirely comfortable with.

Hardware authenticators in particular tend to be more difficult to work with than companies initially think they will be. Though they're more secure technologies than SMS one-time codes, organizations often find that when used as a primary MFA solution they impose costs, inconveniences, lost productivity, and security risks that weren't foreseen.

The four stories below illustrate some of these problems and come either from Plurilock's own customers or from others in the cybersecurity industry. Read through them and see if they resemble stories from within your own organization.

These Four Stories Show Why YubiKey Shouldn't Be Your First—or Only—MFA Solution - Plurilock (1)

"My YubiKey kept me from going home."

In our first story, a YubiKey user—let's call him Tim—worked in a YubiKey-based authentication environment at work.

On one particular evening last year, Tim left work after a long workday and embarked on his nearly two-hour, often frustrating commute home, eager to recharge for the night.

When he got home, he reached into his pocket only to find that he didn't have his keys. They, of course, were attached to the YubiKey on his keychain—which was still in his computer's USB port at work.

The point?

  • The organization's security was compromised. Tim's YubiKey was left unattended—with Tim miles and miles (and hours) away. This left Tim and his organization open to an insider breach—others in the office could have nabbed the key, reused it, and then returned it to its place in his USB port without anyone being the wiser.

  • Tim's own security was compromised. Similarly, Tim's house keys were left in full view at his workstation, with others aware that Tim had embarked on a long commute home. Tim's personal home and other keys could have been taken, copied, and replaced—once again on the sly. Meanwhile, Tim was stuck on the street miles away from his keys.

  • Tim's evening was ruined. After a lengthy commute home, Tim was forced to immediately turn around, commute all the way back to work, try to get in after hours without his keychain, retrieve his YubiKey and house keys from the USB port, then commute all the way back home again. An already onerous one-way evening commute became a non-trivial, multi-hour ordeal.

"I don't know what my YubiKey's been up to."

Let's move on to our second story. In it, an executive—let's call her Chris—thought she was smarter than guys like Tim.

Chris didn't keep her YubiKey on her keychain because that seemed like a risk—multiple security items from different parts of her life all tied together. But carrying her YubiKey "bare," she'd left it in the wrong bag several times when switching purses in the morning before work.

These Four Stories Show Why YubiKey Shouldn't Be Your First—or Only—MFA Solution - Plurilock (2)

So, Chris had taken to leaving her YubiKey in her desk drawer at the office.

One day last year, Chris came into work and opened her drawer—which she quickly realized wasn't locked—to grab her YubiKey and log in. It was gone.

Who at the company would have had access to unlock her office door and desk drawer? Or had she forgotten to lock both on the way out? What was the risk level? Ultimately, IT issued her a new YubiKey.

The next day when Chris came into work, she found her old YubiKey sitting on the rear corner of her desk. Had it been there all along? She wasn't sure. Had she inadvertently left it somewhere around the office, after which someone had returned it? Nobody knew.

The point?

  • Nobody knows what really happened to Chris's YubiKey. Was it simply overlooked and there all along? Was it taken and then returned? If the latter, was it returned because it stopped working once Chris was issued a new YubiKey, indicating that someone had been using it?

  • Unintended incentives made the YubiKey too easy to take. Chris didn't feel adept at managing her YubiKey consistently—remembering, carrying, and keeping it near her at all times. The unintended incentive was for her to leave the YubiKey near the computer where she used it—significantly reducing its security benefits.

  • Money was spent and a breach may have occurred. Chris's team was left scouring logs to try to figure out if the YubiKey had been used by someone else. Uncertainty will always remain about whether a third party used it or a breach occurred as a result. Meanwhile, support overhead costs and the cost of a new YubiKey were incurred.

"I'm a little behind on my YubiKey tasks."

Third story. Brad—who had an important job onboarding new clients at his company's B2B SaaS offering—used a variety of workflows every day, the most critical protected by YubiKey and the rest not. Over a couple of weeks, Brad's manager saw his productivity fall off considerably in several job areas.

At his monthly review, Brad was asked about the things that didn't seem to be getting done—and he sheepishly admitted losing track of his YubiKey over two weeks ago, and simply not using YubiKey-protected workflows since then. He hadn't contacted IT because he was sure he'd merely misplaced it and expected it to "turn up" either at home or at work.

A day had turned into two days—then, into a week, and so on. He'd lost track of time, always assuming he'd "catch up" quickly once he figured out where he'd put it.

The point?

  • Important work wasn't getting done. Because of a temporarily misplaced YubiKey, key tasks weren't done. A YubiKey is small, easy to misplace—maybe it's in a messenger bag, maybe the car, maybe a pants pocket in the laundry. Notifying IT of a lost key seemed premature until it suddenly didn't—at a monthly review when productivity gaps became a central issue.

  • A valid credential may have spent weeks in the wrong hands. By the time Brad and his manager focused on the problem and decided it really was time to get a new YubiKey for Brad, his old YubiKey had been missing—and possibly sitting in the wrong hands—over two weeks.

  • A frustrating, costly choice was faced. Brad was a skilled worker, normally a top producer on his team. His manager had been considering a promotion and additional duties. Now he'd inadvertently caused a lapse in production and possibly a lapse in security. His manager had to choose between losing a key team member at an inconvenient time and critical security policies.

These Four Stories Show Why YubiKey Shouldn't Be Your First—or Only—MFA Solution - Plurilock (3)

"YubiKey is causing tension between me and my users."

Final story. Owen is responsible for deploying YubiKeys to employees at his company, and it's driving him crazy.

Between home, road, and work, some users turn out to have USB A (desktop), C (recent laptop), and Mini-B (portable) ports, and are relying on adapters—or even shaky stacks of them—to use their YubiKey. Sometimes, even with jiggling and fiddling, YubiKeys can fail to be recognized. Some of the desktops at his organization have both USB 2.0 and 3.0 ports and for some reason, the drivers for the USB 3.0 ports struggle to recognize YubiKeys—but users struggle to remember which ports are which.

A couple of users with identical laptops have needed repairs after mistakenly inserting their YubiKey into HDMI ports that were positioned next to USB ports along the left sides of their machines.

Due to the problems, in a few "emergency" cases Owen has disabled multi-factor authentication for struggling users and returned them to simple username-password logins—but this is now against policy and makes Owen nervous about the risks involved—risks that were supposed to be solved by YubiKey.

The point?

  • Users are fighting to make YubiKey work—and getting tired. On several occasions, Owen realizes that he's stepped over to users' desks himself to "wiggle adapters around" to try to make authentication work, which strikes him as ridiculous. Owen feels as though too much of his time is occupied with users that have a YubiKey assigned, are willing to use it, but can't make it work on a given day or with all of their devices. Frustration is building.

  • Work and authentication are in conflict, with security consequences. In some cases users who have struggled repeatedly with YubiKeys have been enabled to work without MFA again. In other cases, users who find a combination of adapters or a port in which their assigned YubiKey work have decided to leave it permanently inserted to avoid future headaches—defeating much of the purpose.

  • Not all environments are YubiKey-friendly at the hardware level. Cases like Owen's, in which there is a lot of disparate hardware, can make YubiKey management difficult, but there are even harder real-world cases than that. For example, environments in there is a need for all USB ports to be disabled for security reasons are in direct conflict with the needs of YubiKey hardware, and finding a middle-ground solution can be difficult.

Making Yubikey—and Other Authenticators—Better Fit Your Security Strategy

Hardware authenticators do deliver stronger authentication than either simple username-password pairs or SMS one-time codes.

But the weaknesses are real. Workflows protected by YubiKey or other authenticators guarantee the presence of a small piece of hardware—not the identity of the user holding it. And as a primary MFA tool, to be used for every login workflow, they tend to be cumbersome and often lead to unexpected problems.

  • In Tim's case, an attempt to ensure that he and his YubiKey were never apart (by putting the token on his keychain) led to a situation in which Tim couldn't get into his own house—while far away, the token itself was left unprotected.

  • In Chris's case, the inconvenience of managing her YubiKey led her to store it permanently near the workstation where she used it, meaning it was routinely out of her hands for long periods—resulting in big security risks.

  • In Brad's case, uncertainty about whether his YubiKey was really lost or merely misplaced meant that it wasn't reported as missing, that work didn't get done, and that a stranger may have had access to critical systems for weeks.

  • In Owen's case, both support time and security are increasingly being sacrificed to the hardware foibles that result from YubiKey use in a mixed environment, and as a result, both users and IT staff are seeing decreased productivity and increased tension.

These Four Stories Show Why YubiKey Shouldn't Be Your First—or Only—MFA Solution - Plurilock (4)

Stories like these are one reason why companies come to Plurilock, and for first-line MFA, we tend to move them to solutions like ADAPT or DEFEND that are based on biometric signatures from everyday input devices like keyboards and mice. This enables strong multi-factor authentication without requiring that extra hardware be used for every login.

Solutions like YubiKey can still play a role in the overall security picture. For example, if a wrist is sprained and a user's typing changes, hardware authenticators can authenticate when typing biometrics reject unrecognized typing patterns.

But Plurilock generally helps clients to eliminate 90 percent or more of their day-to-day hardware authentication prompts—and everyone is happier as a result. We suspect that over time, more and more companies will background hardware authenticators in favor of a primary MFA solution that doesn't rely on the management of tiny, key-sized fobs for everyday work.■

Post Views: 614

These Four Stories Show Why YubiKey Shouldn't Be Your First—or Only—MFA Solution - Plurilock (2024)


What are the downsides of YubiKey? ›

Loss or Damage: Misplacing or damaging YubiKey can lead to losing access to online accounts. Time-consuming Recovery: Restoring access to accounts in case of YubiKey loss or damage can be time-consuming. Risk of Loss or Theft: Due to its small physical size, losing or having YubiKey stolen can pose a security risk.

Why is YubiKey better than Authenticator app? ›

Authenticator apps provide a layer of security and are a convenient option for use by many, but they are still vulnerable to phishing due to the 30-second window. Security keys, like the YubiKey, are considered to be both more convenient and more secure. Yubico also provides a use in conjunction with the YubiKey.

Is YubiKey considered MFA? ›

A YubiKey is a brand of security key used as a physical multifactor authentication device.

Is YubiKey the safest? ›

Proven security at scale

YubiKeys are trusted by the world's largest companies and users have experienced 0 account takeovers.

What is the lifespan of a YubiKey? ›

However, considering a YubiKey being used five times a day, 365 days per year, it will take 18 years for the counter to get stuck. Furthermore, as this counter only increment the first time after power up / reset, the practical lifetime is even longer.

Can YubiKey get malware? ›

Yubico's YubiKey is built on a foundation of strong authentication. This robust resistance to phishing offers malware protection because it hinges on the ability to detect these attacks before they take place.

Why is YubiKey so expensive? ›

It is costly to design, mould, manufacture, sell and support a hardware product, even something as small as this. Since you don't want your 2FA company to go out of business there is good value in knowing they have a stable business model that can actually support a company rather than just burning capital.

Does YubiKey prevent hackers? ›

Remember that YubiKeys are hardware security keys that provide an additional layer of security to your online accounts. However, they are not immune to hacking attempts.

What happens if someone steals your YubiKey? ›

So, what happens if you lose your YubiKey? In that case, you can still use your Authenticator app (phew!). While you can't create a backup YubiKey, you can always contact Yubico to get a replacement key.

Does Bank of America support YubiKey? ›

To set up your YubiKey for Secured Transfer and online banking log-in to your online Bank of America account, go to “Profile & Settings” in the top right corner, and under “Security settings” click on “Manage SafePass”, there you should see the option to add a USB Security Key.

Can a YubiKey be phished? ›

Additionally, for FIDO2 credentials that are registered, the browser further enhances security by verifying that any request originates from a sanctioned domain. This additional layer makes it exceedingly difficult for an attacker to trick a user into logging in. So, in short: yes, YubiKey FIDO2 is phishing resistant.

Should you keep YubiKey plugged in? ›

Do I need to keep my yubikey plugged in all the time? A. No, you only need to insert your yubikey when you are prompted to do so during login. Leaving it plugged in could result in the yubikey being lost or damaged.

Who owns Yubico? ›

Founded in 2007 by CEO Stina Ehrensvärd, Yubico is a private company with offices in Palo Alto, Seattle, and Stockholm. Yubico CTO, Jakob Ehrensvärd, is the lead author of the original strong authentication specification that became known as Universal 2nd Factor (U2F).

Does Google use YubiKey? ›

The YubiKey is a hardware security key that provides strong one-touch authentication, and works seamlessly with Google Accounts. Fortify your login by turning on Google 2-Step Verification and registering the YubiKey with your account.

Should I leave my YubiKey plugged in all the time? ›

If it's your first time using a YubiKey and you're used to Touch ID, we suggest using the Nano key and leaving it plugged in. If you're working from home, you can leave it plugged in.

What are the disadvantages of security key? ›

Hardware Security Key Cons

If you have multiple users of a single account, sharing a key can be a bit impractical. Just like with your smartphone, if you lose your security key, it can make accessing your accounts difficult unless you've set alternative access options as a backup.

Is YubiKey a good idea? ›

The Yubico Security Key C NFC is the best choice: It's affordable and will work with just about every site that supports security keys. If you're already familiar with security keys and need or want more-advanced features, the Yubico YubiKey 5C NFC is a pricier but worthwhile choice.

Top Articles
Margin Requirements :: Dukascopy Bank SA
Body Parts and Their Zodiac Sign Rulers | Astrostyle: Astrology and Daily, Weekly, Monthly Horoscopes by The AstroTwins
Safety Jackpot Login
Meer klaarheid bij toewijzing rechter
Truist Park Section 135
Watch Mashle 2nd Season Anime Free on Gogoanime
Boggle Brain Busters Bonus Answers
Bloxburg Image Ids
How to Watch Braves vs. Dodgers: TV Channel & Live Stream - September 15
Tabler Oklahoma
Garrick Joker'' Hastings Sentenced
Missing 2023 Showtimes Near Lucas Cinemas Albertville
Robert Malone é o inventor da vacina mRNA e está certo sobre vacinação de crianças #boato
Classroom 6x: A Game Changer In The Educational Landscape
Healing Guide Dragonflight 10.2.7 Wow Warring Dueling Guide
Funny Marco Birth Chart
iLuv Aud Click: Tragbarer Wi-Fi-Lautsprecher für Amazons Alexa - Portable Echo Alternative
Unlv Mid Semester Classes
Troy Bilt Mower Carburetor Diagram
360 Tabc Answers
Site : Easy Call
Divide Fusion Stretch Hoodie Daunenjacke für Herren | oliv
Scott Surratt Salary
Jail Roster Independence Ks
Rush County Busted Newspaper
Kelley Fliehler Wikipedia
Lincoln Financial Field, section 110, row 4, home of Philadelphia Eagles, Temple Owls, page 1
Gideon Nicole Riddley Read Online Free
Jefferson Parish Dump Wall Blvd
Jason Brewer Leaving Fox 25
Gold Dipping Vat Terraria
Improving curriculum alignment and achieving learning goals by making the curriculum visible | Semantic Scholar
Lonely Wife Dating Club בקורות וחוות דעת משתמשים 2021
Kent And Pelczar Obituaries
Citizens Bank Park - Clio
Thothd Download
Swoop Amazon S3
Huntsville Body Rubs
Craigslist Chautauqua Ny
Dayton Overdrive
Costner-Maloy Funeral Home Obituaries
The Hardest Quests in Old School RuneScape (Ranked) – FandomSpot
Strange World Showtimes Near Atlas Cinemas Great Lakes Stadium 16
Tanger Outlets Sevierville Directory Map
BYU Football: Instant Observations From Blowout Win At Wyoming
Famous Dave's BBQ Catering, BBQ Catering Packages, Handcrafted Catering, Famous Dave's | Famous Dave's BBQ Restaurant
Latest Posts
Article information

Author: Fr. Dewey Fisher

Last Updated:

Views: 6432

Rating: 4.1 / 5 (42 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Fr. Dewey Fisher

Birthday: 1993-03-26

Address: 917 Hyun Views, Rogahnmouth, KY 91013-8827

Phone: +5938540192553

Job: Administration Developer

Hobby: Embroidery, Horseback riding, Juggling, Urban exploration, Skiing, Cycling, Handball

Introduction: My name is Fr. Dewey Fisher, I am a powerful, open, faithful, combative, spotless, faithful, fair person who loves writing and wants to share my knowledge and understanding with you.