Using Digital Certificates on Yubikey

Yubikeys are an incredibly secure method of protecting yourself from data theft, but you’re probably not using them to their full potential.

Natively, Yubikeys only support credential-based authentication through keypairs and one-time passwords. However, SecureW2 has developed an industry-first solution for enrolling the security keys for digital certificates – a vastly superior authentication method.

The Advantages of Certificates on Yubikey

Certificates Allow Yubikey to Authenticate More Services

There’s a shortcoming of Yubikeys that is important to note – they aren’t universally supported. Here’s a list of the sites and services that are currently supported. Outside of those applications, they’re useful for controlling access to your devices.

Yubikeys can secure those adequately with their native credential capabilities, but when equipped with certificates, a Yubikey becomes even more versatile.

Using SecureW2’s Yubikey certificate solution, you can configure your keys to access your WPA2-Enterprise network. Restricting Wi-Fi access to just people with a certificate-configured key makes your network virtually impenetrable to over-the-air attacks (like the notorious man-in-the-middle attack).

In addition to Wi-Fi access, you can also use our Yubikey solution to sign into desktop and VPN services.

Furthermore, the use of certificates has the potential to expand the scope of Yubikey integrations to any application or service that has PKI infrastructure.

In order to utilize certificates on Yubikeys, you’ll need the appropriate network infrastructure to support certificate issuance and revocation. SecureW2 can help transition your WPA2-Enterprise network to EAP-TLS that supports certificates.

We offer all the necessary components to build an EAP-TLS network from scratch, including Cloud RADIUS and full PKI services. We can also integrate into any existing infrastructure you might have, including RADIUS servers and any major access points.

Certificates on Yubikeys Harden Your Network Against OTA Attacks

yubikey certificate

Source: Yubico

Security keys, like the Yubikey, are primarily a defense against phishing and other strategies that rely on human fallibility. After all, you can’t be fooled into giving away your credentials if you don’t know what they are in the first place.

However, Yubikeys don’t protect you from more advanced over-the-air hacking techniques, such as the infamous man-in-the-middle attack. The credentials are securely passed to the device, but that’s as far as security key protection goes. They’re communicated over the same network as all of the other potentially insecure traffic.

Yubikeys and certificates both rely on asymmetric cryptography to protect their data, but the scope of their protection differs.

Certificates ensure that the authentication process is protected from start to finish. The private keys are invulnerable from the moment they’re generated on the Yubikey until they are authenticated by the recipient application.

Lose your Yubikey? No problem.

Losing a security is a big deal.

No, it’s unlikely a person could pick it up and use it to access your accounts. After all, they’d still need to know your PIN. The real issue with losing a security key is that you’ll have to replace it and re-register it with every application you’ve been using it with.

For some, that might just be their email. For other people, it could be up to 20 or 30 services across the web. On an enterprise level, employees might lose a key or two every day – the time lost recovering keys or re-pairing them to services would add up quickly.

If your Yubikey is equipped with a certificate, however, replacing it is a non-issue. The services it’s registered to aren’t actually registered to the physical key – they’re tied to the identity stored in the PKI. All you have to do is revoke the old certificate so it can’t be used, then issue a new certificate to a new key and sign it with the identity of the same employee. It will be ready for use immediately.


How to Use Certificates on a Yubikey

Configuring Yubikeys for certificates is simple with SecureW2. With just a few clicks in our world-class management portal, you can create a custom client that will configure your Yubikey for certificate enrollment.

Here’s a brief .GIF of the process:

yubikey wifi

Ready for certificates to expand the ability of your Yubikeys and enhance your security? SecureW2 has affordable options for organizations of all sizes. Check out our pricing here.

Learn about this author

Patrick Grubbs

Patrick is an experienced SEO specialist at SecureW2 who also enjoys running, hiking, and reading. With a degree in Biology from College of William & Mary, he got his start in digital content by writing about his ever-expanding collection of succulents and cacti.

Patrick Grubbs

Using Digital Certificates on Yubikey