A key part of our business at Plurilock™ involves helping companies to move beyond the multi-factor authentication infrastructure that they already have—and that they are often not yet entirely comfortable with.
Hardware authenticators in particular tend to be more difficult to work with than companies initially think they will be. Though they're more secure technologies than SMS one-time codes, organizations often find that when used as a primary MFA solution they impose costs, inconveniences, lost productivity, and security risks that weren't foreseen.
The four stories below illustrate some of these problems and come either from Plurilock's own customers or from others in the cybersecurity industry. Read through them and see if they resemble stories from within your own organization.
"My YubiKey kept me from going home."
In our first story, a YubiKey user—let's call him Tim—worked in a YubiKey-based authentication environment at work.
On one particular evening last year, Tim left work after a long workday and embarked on his nearly two-hour, often frustrating commute home, eager to recharge for the night.
When he got home, he reached into his pocket only to find that he didn't have his keys. They, of course, were attached to the YubiKey on his keychain—which was still in his computer's USB port at work.
The organization's security was compromised. Tim's YubiKey was left unattended—with Tim miles and miles (and hours) away. This left Tim and his organization open to an insider breach—others in the office could have nabbed the key, reused it, and then returned it to its place in his USB port without anyone being the wiser.
Tim's own security was compromised. Similarly, Tim's house keys were left in full view at his workstation, with others aware that Tim had embarked on a long commute home. Tim's personal home and other keys could have been taken, copied, and replaced—once again on the sly. Meanwhile, Tim was stuck on the street miles away from his keys.
Tim's evening was ruined. After a lengthy commute home, Tim was forced to immediately turn around, commute all the way back to work, try to get in after hours without his keychain, retrieve his YubiKey and house keys from the USB port, then commute all the way back home again. An already onerous one-way evening commute became a non-trivial, multi-hour ordeal.
"I don't know what my YubiKey's been up to."
Let's move on to our second story. In it, an executive—let's call her Chris—thought she was smarter than guys like Tim.
Chris didn't keep her YubiKey on her keychain because that seemed like a risk—multiple security items from different parts of her life all tied together. But carrying her YubiKey "bare," she'd left it in the wrong bag several times when switching purses in the morning before work.
So, Chris had taken to leaving her YubiKey in her desk drawer at the office.
One day last year, Chris came into work and opened her drawer—which she quickly realized wasn't locked—to grab her YubiKey and log in. It was gone.
Who at the company would have had access to unlock her office door and desk drawer? Or had she forgotten to lock both on the way out? What was the risk level? Ultimately, IT issued her a new YubiKey.
The next day when Chris came into work, she found her old YubiKey sitting on the rear corner of her desk. Had it been there all along? She wasn't sure. Had she inadvertently left it somewhere around the office, after which someone had returned it? Nobody knew.
Nobody knows what really happened to Chris's YubiKey. Was it simply overlooked and there all along? Was it taken and then returned? If the latter, was it returned because it stopped working once Chris was issued a new YubiKey, indicating that someone had been using it?
Unintended incentives made the YubiKey too easy to take. Chris didn't feel adept at managing her YubiKey consistently—remembering, carrying, and keeping it near her at all times. The unintended incentive was for her to leave the YubiKey near the computer where she used it—significantly reducing its security benefits.
Money was spent and a breach may have occurred. Chris's team was left scouring logs to try to figure out if the YubiKey had been used by someone else. Uncertainty will always remain about whether a third party used it or a breach occurred as a result. Meanwhile, support overhead costs and the cost of a new YubiKey were incurred.
"I'm a little behind on my YubiKey tasks."
Third story. Brad—who had an important job onboarding new clients at his company's B2B SaaS offering—used a variety of workflows every day, the most critical protected by YubiKey and the rest not. Over a couple of weeks, Brad's manager saw his productivity fall off considerably in several job areas.
At his monthly review, Brad was asked about the things that didn't seem to be getting done—and he sheepishly admitted losing track of his YubiKey over two weeks ago, and simply not using YubiKey-protected workflows since then. He hadn't contacted IT because he was sure he'd merely misplaced it and expected it to "turn up" either at home or at work.
A day had turned into two days—then, into a week, and so on. He'd lost track of time, always assuming he'd "catch up" quickly once he figured out where he'd put it.
Important work wasn't getting done. Because of a temporarily misplaced YubiKey, key tasks weren't done. A YubiKey is small, easy to misplace—maybe it's in a messenger bag, maybe the car, maybe a pants pocket in the laundry. Notifying IT of a lost key seemed premature until it suddenly didn't—at a monthly review when productivity gaps became a central issue.
A valid credential may have spent weeks in the wrong hands. By the time Brad and his manager focused on the problem and decided it really was time to get a new YubiKey for Brad, his old YubiKey had been missing—and possibly sitting in the wrong hands—over two weeks.
A frustrating, costly choice was faced. Brad was a skilled worker, normally a top producer on his team. His manager had been considering a promotion and additional duties. Now he'd inadvertently caused a lapse in production and possibly a lapse in security. His manager had to choose between losing a key team member at an inconvenient time and critical security policies.
"YubiKey is causing tension between me and my users."
Final story. Owen is responsible for deploying YubiKeys to employees at his company, and it's driving him crazy.
Between home, road, and work, some users turn out to have USB A (desktop), C (recent laptop), and Mini-B (portable) ports, and are relying on adapters—or even shaky stacks of them—to use their YubiKey. Sometimes, even with jiggling and fiddling, YubiKeys can fail to be recognized. Some of the desktops at his organization have both USB 2.0 and 3.0 ports and for some reason, the drivers for the USB 3.0 ports struggle to recognize YubiKeys—but users struggle to remember which ports are which.
A couple of users with identical laptops have needed repairs after mistakenly inserting their YubiKey into HDMI ports that were positioned next to USB ports along the left sides of their machines.
Due to the problems, in a few "emergency" cases Owen has disabled multi-factor authentication for struggling users and returned them to simple username-password logins—but this is now against policy and makes Owen nervous about the risks involved—risks that were supposed to be solved by YubiKey.
Users are fighting to make YubiKey work—and getting tired. On several occasions, Owen realizes that he's stepped over to users' desks himself to "wiggle adapters around" to try to make authentication work, which strikes him as ridiculous. Owen feels as though too much of his time is occupied with users that have a YubiKey assigned, are willing to use it, but can't make it work on a given day or with all of their devices. Frustration is building.
Work and authentication are in conflict, with security consequences. In some cases users who have struggled repeatedly with YubiKeys have been enabled to work without MFA again. In other cases, users who find a combination of adapters or a port in which their assigned YubiKey work have decided to leave it permanently inserted to avoid future headaches—defeating much of the purpose.
Not all environments are YubiKey-friendly at the hardware level. Cases like Owen's, in which there is a lot of disparate hardware, can make YubiKey management difficult, but there are even harder real-world cases than that. For example, environments in there is a need for all USB ports to be disabled for security reasons are in direct conflict with the needs of YubiKey hardware, and finding a middle-ground solution can be difficult.
Making Yubikey—and Other Authenticators—Better Fit Your Security Strategy
Hardware authenticators do deliver stronger authentication than either simple username-password pairs or SMS one-time codes.
But the weaknesses are real. Workflows protected by YubiKey or other authenticators guarantee the presence of a small piece of hardware—not the identity of the user holding it. And as a primary MFA tool, to be used for every login workflow, they tend to be cumbersome and often lead to unexpected problems.
In Tim's case, an attempt to ensure that he and his YubiKey were never apart (by putting the token on his keychain) led to a situation in which Tim couldn't get into his own house—while far away, the token itself was left unprotected.
In Chris's case, the inconvenience of managing her YubiKey led her to store it permanently near the workstation where she used it, meaning it was routinely out of her hands for long periods—resulting in big security risks.
In Brad's case, uncertainty about whether his YubiKey was really lost or merely misplaced meant that it wasn't reported as missing, that work didn't get done, and that a stranger may have had access to critical systems for weeks.
In Owen's case, both support time and security are increasingly being sacrificed to the hardware foibles that result from YubiKey use in a mixed environment, and as a result, both users and IT staff are seeing decreased productivity and increased tension.
Stories like these are one reason why companies come to Plurilock, and for first-line MFA, we tend to move them to solutions like ADAPT or DEFEND that are based on biometric signatures from everyday input devices like keyboards and mice. This enables strong multi-factor authentication without requiring that extra hardware be used for every login.
Solutions like YubiKey can still play a role in the overall security picture. For example, if a wrist is sprained and a user's typing changes, hardware authenticators can authenticate when typing biometrics reject unrecognized typing patterns.
But Plurilock generally helps clients to eliminate 90 percent or more of their day-to-day hardware authentication prompts—and everyone is happier as a result. We suspect that over time, more and more companies will background hardware authenticators in favor of a primary MFA solution that doesn't rely on the management of tiny, key-sized fobs for everyday work. ■