How to Use Yubikeys for VPN

Eytan Raphaely Education

How to Use Yubikeys for VPN

Yubikeys are a useful and secure tool for protecting yourself from data theft. They add a layer of authentication and can be used with other authentication methods to further protect your data.

While Yubikeys are already a powerful multi-factor authentication device, using them in conjunction with certificates to authenticate VPN login, allows you to work from home while maintaining security best practices for your organization’s private data. SecureW2 has developed an industry-first solution for enrolling the security keys for digital certificates, ensuring you have the highest quality security in any situation.

Advantages of Using Yubikey For VPN

Using a security key (like a Yubikey) with certificates to access VPN has benefits both to the individual and the organization as a whole.

Certificates are a convenient way to eliminate the need for antiquated credentials and you can easily keep a Yubikey at your desk or on your key ring and access your VPN with the same ease as using passwords, but much more securely. Certificates also add the following benefits:

  • Certificates are tied to the identity of a person or device, unlike credentials, meaning you know exactly who is using the network and for what. A person can’t ‘lend’ their coworker their certificate to login.
  • Certificates are the best protection against over-the-air-attacks like the man-in-the-middle attack. Certificates are virtually impenetrable, unlike passwords. Even if a bad actor managed to intercept your data during login they would still lack the vital private key, rendering the attack useless.
  • Certificates reduce the burden on your IT department because they eliminate the need for password-reset policies, which inevitably cause massive confusion every 60 or 90 days. Certificate lifetimes can be up to 10+ years.
  • Certificates also have a significant improvement in user experience over OAuth. If you lose your Yubikey, OAuth requires you to re-setup your Yubikey for every single application. Certificates only require you to re-enroll for a client certificate, and then everything works again.

A physical security token makes a VPN virtually impossible to hack through standard tactics. The asymmetric cryptographic foundation is virtually uncrackable and data thieves are unable to steal a physical device wirelessly.

How To Set Up Certificate-Based VPN Authentication

Many organizations find generating and managing certificates to be a major hassle, however SecureW2’s Managed PKI comes with a state of the art management portal that allows certificates to be handled with ease. In order to setup certificate authentication for our VPN, we need to create a Certificate Authority (CA) and import it on to our Firewall/VPN Gateway/RADIUS Server. Here’s how to create certificate authorities with SecureW2:

  1. Under PKI Management selectCertificate Authorities
  2. SelectAdd Certificate Authority
  3. Choose Intermediate CA under Type
  4. Select the corresponding Root CA under Certificate Authority
    1. You can easily create a new Root CA in Add Certificate Authority if needed
  5. Choose your desired setting underGenerate Via 
    1. Internal System: The intermediate CA private key and certificate is stored in the cloud. This CA can then be used in the Enrollment policy to sign client certificates
    2. Certificate Signing Request: Allows administrators to upload a Certificate Signing Request and then get it signed by the Root CA
    3. Browser: The intermediate CA private key and certificate are not stored in the cloud portal, and are allowed to be downloaded. This CA cannot be used for device enrollment and will be used for SSL inspection
  6. Choose a name and expiration date then save

Next, go to your RADIUS server or firewall management portal and import the intermediate CA.

How to Use Yubikey For Certificate VPN Authentication

To use a Yubikey for VPN authentication, you need to get a unique client certificate on your PIV-Compatible Yubikey. The certificate will reside on the Yubikeys Smart Card, where it will be used for VPN authentication. Getting the certificate on the Yubikey is really simple, because SecureW2 allows end users to easily enroll their Yubikeys for certificates.

With your Yubikey inserted into the computer, run the SecureW2 onboarding client, enter in your PIN/PUK and your directory credentials and you’re done!. Below is a GIF summary of the process – it only takes a couple minutes!

Easy VPN Yubikey Authentication with SecureW2

Putting your network’s security at the forefront allows you to put your mind at ease. Ready for certificates to expand the ability of your Yubikeys and enhance your security? SecureW2 has affordable options for organizations of all sizes. Check out our pricing here.


Learn About This Author

Eytan Raphaely

Eytan Raphaely is a 25-year-old currently working in marketing, his true passion is making things that he thinks are really funny, that other people think are mildly funny. He is a recent graduate from the University of Washington where he studied digital marketing. Eytan has been honing his writing skills as an intern for a small studio, a marketing firm, an editor for Literally Media, and other places too.