yubikey certificate

Using Digital Certificates on Yubikey

Patrick Grubbs Tech Trends

Using Digital Certificates on Yubikey

Yubikeys are an incredibly secure method of protecting yourself from data theft, but you’re probably not using them to their full potential.

Natively, Yubikeys only support credential-based authentication through keypairs and one-time passwords. However, SecureW2 has developed an industry-first solution for enrolling the security keys for digital certificates – a vastly superior authentication method.

The Advantages of Certificates on Yubikey

Certificates Allow Yubikey to Authenticate More Services

There’s a shortcoming of Yubikeys that is important to note – they aren’t universally supported. Here’s a list of the sites and services that are currently supported. Outside of those applications, they’re useful for controlling access to your devices.

Yubikeys can secure those adequately with their native credential capabilities, but when equipped with certificates, a Yubikey becomes even more versatile.

Using SecureW2’s Yubikey certificate solution, you can configure your keys to access your WPA2-Enterprise network. Restricting Wi-Fi access to just people with a certificate-configured key makes your network virtually impenetrable to over-the-air attacks (like the notorious man-in-the-middle attack).

While our software solution is currently only configured to allow network access with Yubikey, the use of certificates has the potential to expand the scope of Yubikey integrations to any application or service that has PKI infrastructure.

In order to utilize certificates on Yubikeys, you’ll need the appropriate network infrastructure to support certificate issuance and revocation. SecureW2 can help transition your WPA2-Enterprise network to EAP-TLS that supports certificates.

We offer all the necessary components to build an EAP-TLS network from scratch, including Cloud RADIUS and full PKI services. We can also integrate into any existing infrastructure you might have, including RADIUS servers and any major access points.

Certificates on Yubikeys Harden Your Network Against OTA Attacks

yubikey certificate

Source: Yubico

Security keys, like the Yubikey, are primarily a defense against phishing and other strategies that rely on human fallibility. After all, you can’t be fooled into giving away your credentials if you don’t know what they are in the first place.

However, Yubikeys don’t protect you from more advanced over-the-air hacking techniques, such as the infamous man-in-the-middle attack. The credentials are securely passed to the device, but that’s as far as security key protection goes. They’re communicated over the same network as all of the other potentially insecure traffic.

Yubikeys and certificates both rely on asymmetric cryptography to protect their data, but the scope of their protection differs.

Certificates ensure that the authentication process is protected from start to finish. The private keys are invulnerable from the moment they’re generated on the Yubikey until they are authenticated by the recipient application.

No Need to Remember a PIN for Yubikey

Normal procedure for using a Yubikey is to insert the key, enter your PIN, and tap for authentication.

If your Yubikey is enrolled for certificate authentication through SecureW2, you only need to enter a PIN the very first time you set up your Yubikey. Afterwards, you can authenticate to your WPA2-Enterprise Wi-Fi network with just a tap of the device – and it’s even more secure.

People forget passwords and PINs all the time. When you forget your credentials on a Yubikey, you have to completely wipe the device, erasing all of the stored keys and forcing you to reintegrate with all the applications you use. That’s an enormous headache for individuals and an even bigger waste of time and resources for IT in a company that has deployed Yubikeys to every employee.

Certificates tie the identity of a person and device to authentication, much like a picture ID, which renders credentials redundant. Authentication through certificates doesn’t require input from users at all. It eliminates the need to remember passwords and to have a password or pin reset policy.

How to Use Certificates on a Yubikey

Configuring Yubikeys for certificates is simple with SecureW2. With just a few clicks in our world-class management portal, you can create a custom client that will configure your Yubikey for certificate enrollment.

Here’s a brief .GIF of the process:

yubikey wifi

Ready for certificates to expand the ability of your Yubikeys and enhance your security? SecureW2 has affordable options for organizations of all sizes. Check out our pricing here.