Cyber security is ever-evolving to counter the attacks that are getting more aggressive by the day. One-step authentication is no longer enough to establish identity with absolute certainty. 2FA (two-factor authentication) or MFA (Multi-factor-authentication) are becoming more frequently used for better identity context. However, the traditional method of using a mobile phone for SMS is not the most reliable as it is susceptible to phishing attacks.
Smart Cards technology is one tool that is gaining popularity with governments and companies across the globe as a more secure alternative for 2FA and MFA. These chips are increasingly used in ID cards, SIM cards, credit/debit cards, and security keys, and one of the most popular uses of these smart cards as a physical security key is Yubikey.
One of the features of new Yubikeys is that they can perform “attestation”, which gives them the potential to be even more powerful in terms of protecting your data.
In coordination with Yubico, SecureW2 has improved on the native attestation feature, making it easier to implement and giving it more features. Read on to learn about what Yubikey attestation is and how you can use it.
What is Yubikey Attestation?
Attestation means the same thing in cybersecurity as it does in the legal world – it’s a signature that verifies the origin of a document, or in this case, a digital certificate.
Attestation for digital certificates is usually performed on the device that the certificate is being issued to. That’s a critical component of attestation because the only time digital certificates are vulnerable to being compromised is when they are being distributed to client devices. On-device attestation proves that the certificate was generated locally and is uncompromised.
Of course, if it were that easy, all device certificates would be attested automatically. In order to generate and attest a legitimate digital certificate you need to have a secure cryptoprocessor such as a hardware security module (HSM) or PIV-enabled smartcard on the device itself, as is the case with several Yubico products.
Yubico’s Native Attestation Features
Yubikey 4.3 and newer all come with the ability to attest their asymmetric key natively, but using the feature takes a bit of legwork.
All attestation-compatible yubikeys come preloaded with an X.509 certificate in key slot f9 which is only to be used for verifying (attesting) keys and certificates generated on the device. This preexisting certificate is signed by the Yubico PIV CA, but it can be overwritten with your organization’s own attestation certificate if needed.
In order to use the attestation feature, you have to manually repeat the piv-action-tool commands for each certificate you want to attest on each Yubikey. Note that clearing or resetting a Yubikey does not remove the attestation certificate.
Yubico’s attestation documentation can be found here.
SecureW2 Enhanced Yubikey Attestation
As a Yubico Partner, SecureW2 has developed several solutions that advance the security and convenience offered by Yubikeys. Expanding on their attestation feature by integrating it with our robust certificate management platform was a natural next step.
Whereas the native Yubikey certificate attestation requires manual command line verification for each key or certificate, our solution makes the process scale much better through an intuitive GUI.
Once users have gone through the simple enrollment process shown above, the SecureW2 management portal will be able to attest the private key was generated on the YubiKey.
The management platform also allows you to create certificate management policies which, like group policies, enable you to segment your users’ permissions and access levels based on a variety of criteria – such as whether or not their certificate is attested.
When you can attest a private key has been generated on a YubiKey, you can give the highest assurance levels possible and provide security clearance with the utmost confidence.
Recent Improvements in Yubikey Attestation
SecureW2 now uses a newer feature wherein the management key is stored on the Yubikey itself and is completely randomized. The PIN is used anytime the management key has to be accessed or unlocked. This feature helps mitigate the potential security risks otherwise attached to the Management Key.
Unlike the PIN, the Management Key does not have a time-out after three unsuccessful attempts, as mentioned above. So no matter how slim a scope, there is always the risk of someone cracking the Management Key and hacking your network. With this new feature, your Yubikey Management Key remains safe, and the potential security risk is mitigated.
Whenever the management key is needed to perform any special activities, such as enrollment or onboarding, we take the PIN from the user and authenticate with the PIN to get the Management Key from Yubikey. We then use the key provided by Yubikey to unlock ‘maintenance’ features.
Though this may seem like unnecessary steps, it actually is an effective way to mitigate the security risks attached to the Management Key that we discussed when talking about the Yubikey PINs. This innovation does not impact the overall user experience as the user does not experience any major changes. In fact, they now have just to remember the PIN and not have to worry about storing the Management Key.
Upgrade Your Security With Yubikey Certificate Attestation
As an MFA device, Yubikeys are already a stellar method of strengthening your organization’s security, but it can be so much more.
Our industry-first Yubikey certificate management solution hugely expands both the range of services your Yubikey can authenticate and the security a Yubikey provides against threats internal and external. Use our platform to enroll certificates for desktop, Wi-Fi, and VPN logon with your Yubikey, or to create certificate policies for access management.
We have affordable options for organizations of every size. Click here to see our pricing.
