PKI-Supported CMS for Yubikey

A CMS (Credential Management System) or SCMS (Smart Card Management System) is an invaluable tool for organizations using smart cards and security keys. They have many functions to control credentials for all of your devices in one centralized place.

SCMSs in particular can be used for any device that has an onboard smart card, which opens the door to managing devices en masse that you might not otherwise be able to. One novel application of this technology is our very own Yubikey certificate management and distribution solution.

Deploying Yubikey for Enterprise MFA

Many organizations are adopting Yubikeys for their easy plug-and-play upgrade to authentication. As an MFA device, the Yubikey brings a lot to the table:

  • One time passwords
  • Biometric authentication
  • Physical touch authentication
  • PIN authentication

It’s a simple way to control access to sensitive accounts through a physical, “something you have”, type of authentication. That’s particularly useful during this period where phishing attempts are more numerous and more advanced than ever before.

In our capacity as an official Yubico Partner, SecureW2 is pioneering the field of SCMS solutions for Yubikeys. Enterprise Yubikey management is now possible because our software enrolls Yubikeys for digital certificates instead of credentials, opening up a huge range of possibilities.

Here’s a couple of the advantages our Yubikey solution brings to the table:

  1. Vastly expanded range of integrations. By default, Yubikeys can only be used to authenticate to the 50 or so predetermined services (list here). Our solution lets you use onboard certificates to authenticate to almost anything.
  2. Automatic Certificate Enrollment for Yubikeys. This is where the “SCMS” part comes in. Natively, Yubikeys don’t support any type of at-scale key management. Now, you can use our robust management suite to automatically enroll every yubikey for certificates and manage them from one central location.

Benefits of Yubikey Certificates

802.1x certificates are superior to credentials for several reasons and their scope is amplified when using them on a security token like the Yubikey.

  1. Certificates make security keys more secure. They use asymmetric cryptographic principles, namely a public-private key pair, in order to authenticate. This method makes the certificate immune to over the air attacks and unable to be stolen, unlike other credentials.
  2. Certificates are a better user experience. Remembering passwords is a pain… and it’s also a security vulnerability. Certificates enable passwordless authentication that has greater reliability and security. In the event that a Yubikey is lost or stolen, all of the certificates can be revoked remotely so that you don’t have to rely on the strength of the PIN protecting the Yubikey.
  3. Certificates expand the range of Yubikey integrations. By default, Yubikeys can only be used to access a predetermined list of services. Using a certificate bypasses the native authentication function so that you can create a public-private key pair with any service that supports it. It allows you to use your security key for desktop logon, Wi-Fi login, VPN access, and more.
  4. Certificates enable SCMS for Yubikey. There is no way to manage Yubikeys on an enterprise level without enrolling them for certificates. Certificates are their bridge to a PKI, which enables you to monitor and manage an unlimited number of Yubikeys simultaneously, all from one centralized place.

SecureW2 PKI-Backed Yubikey SCMS

Yubikeys have the potential to revolutionize the way your users authenticate – to make it easier, faster, and more secure. Don’t let the prospect of drudging through hundreds of manual configurations and inevitable support tickets dissuade you from upgrading your security. Our industry-first Yubikey SCMS solution makes the process smooth and painless.

YubiKey Certificate Enrollment with SecureW2 from SecureW2 on Vimeo.

With SecureW2, configuring your Yubikey for certificate-hardened security is a breeze. Organizations can detect default PIN/PUKs and enforce secure policies, allowing users to easily reset their PIN and/or PUK on the spot. Tied to our turnkey and easy-to-use PKI services, it’s incredibly easy to see and manage the certificates issued to the keys as well. It comes built in with Private Key Attestation, so admins can be assured the keys were generated on the Yubikey and give clearance for maximum security applications.

SecureW2 has affordable options for organizations of all sizes. If you’re interested in learning more about our CMS/SCMS solutions, contact us today or click here to see our pricing.


Learn about this author

Patrick Grubbs

Patrick is an experienced SEO specialist at SecureW2 who also enjoys running, hiking, and reading. With a degree in Biology from College of William & Mary, he got his start in digital content by writing about his ever-expanding collection of succulents and cacti.

Patrick Grubbs

PKI-Supported CMS for Yubikey