Life with YubiKey; Physical Security Tokens – It’s not there yet
Back in 2018 Google announced the Titan security key with overwhelming internal success. Since Microsoft hasn’t entered this market yet, we thought we’d give the leading 3rd party provider, YubiKey, a spin.
YubiKey is a physical access token that plugs into the USB port of your computer. When a website prompts for multi-factor authentication just tap the gold Y and it finishes up the MFA process. This is all pretty straight forward and works really well for websites like LastPass, Facebook, and Dropbox. Where we ran into problems is with Microsoft and iPhones.
The original thought on Windows computers was that we could simple insert the YubiKey into the USB port and then the computer would auto login/unlock. While the key does indeed allow the computer to auto unlock, it does not work on first startup of the computer as it needs one of their auxiliary apps (YubiKey for Windows Hello) to be running in the background first.
Moving past the physical computer, Microsoft’s cloud portals were our next challenge. Thankfully Microsoft has solidified their MFA strategy with text codes and their authenticator app for mobile devices. But getting a 3rd party MFA token required making some changes in Azure Active Directory. While the changes were minor, it requires running another one of their apps (Yubico Authenticator) on the computer as well in order to generate 6-digit codes to enter into Microsoft’s MFA prompts.
YubiKey incorporates NFC into their keys which is fantastic for Android users. But Apple hasn’t opened their NFC chips on iPhones (yet) to be able to be used for much more than Apple Pay. So, for the iOS users out there, you’ll need access to the aforementioned Yubico Authenticator app on a computer in order to enter the 6-digit code on your mobile apps.
I didn’t set out to write this post as a downer on YubiKey. Specifically, using their key on supported websites with MFA works really well. And we know Microsoft allows you to install Windows on just about anything that has a CPU which creates compatibility issues for hardware authentication. But my goal was to shed light on this area that could use some singularity.