Interview: How To Choose A Secure, User-Friendly MFA Solution

Ronnie Manning is the Chief Marketing Officer at Yubico, a pioneer in authentication and the leading provider of hardware security keys.          

At RSAC 2022, we spoke with Manning to discuss the importance of user experience when implementing a multi-factor authentication (MFA) solution, how some methods of authentication are stronger than others, and how businesses can balance user experience and security when choosing an MFA solution.  

Could you give us an introduction to Yubico and how your YubiKey passwordless authenticators work?

Yubico was founded in 2008, and our product is the YubiKey—a multi-protocol, hardware security key for authentication. YubiKeys support hundreds of applications and services, and with these devices, users authenticate by touching their key, or tapping via NFC to their device. They come in many different forms, and all have a touch sensor which requires you to physically touch them in order to complete the circuit and trigger the key to then authenticate you. This means that, from a security perspective, if someone gains access to your computer, they can’t trigger your YubiKey—to log in requires the physical touch of the owner of the device.

Initially, in 2008, it was just an OTP key; it had one function. Since then, these keys have evolved tremendously. They now support multiple authentication protocols, including modern FIDO-based authentication with FIDO U2F (Universal 2nd Factor), which we co-authored with Google, and FIDO2/WebAuthn, in addition to OTPs and time-based OTPs, smartcard support for login or as a CAC [Common Access Card] replacement. About two years ago, we helped to create FIDO2 and WebAuthn, which allow for a true passwordless login experience into supported applications and services.       

We’re continuing to work with the FIDO Alliance, and leading cloud organizations like Microsoft, Google and Apple to drive this modern, phishing-resistant MFA, and the path to passwordless. At the moment, you have to create a password for everything that you sign up for. But if we can remove that dependency, which is really what we’re trying to do, that’s going to be better for everyone, from consumers to enterprises.

A lot of businesses struggle to get their users on board with the idea of IAM because they find that user authentication adds too much friction to the login process. How do YubiKeys help boost productivity as well as security by delivering a positive user experience?

Over the years, we’ve developed our Works With YubiKey program—a catalogue of everywhere that you can use a YubiKey. We created a physical key, and the list of devices and apps they are compatible with continues to grow. And you get the same user experience, a simple touch, across everything.

Hardware authentication has a history of being difficult. We designed YubiKeys to reimagine hardware authentication, creating durable devices that don’t get crushed or require batteries. We’ve seen YubiKeys get run over by cars, put in washing machines, or even get eaten by dogs and continue to work.    

The simplicity of not having to pull out a phone, memorize a code, unlock your screen, or even have internet access makes them very user-friendly. All you have to do is touch the key and you’re authenticated with phishing-resistant MFA.

Despite the risks associated with password use in the workplace—such as the use and re-use of weak passwords—and the fact that many security experts are recommending switching to a more secure method of authentication, many organizations still use passwords simply because they’re familiar. Do you think that a truly passwordless future is achievable?

It’s a long path to a passwordless future, but the good thing is that the technology is here today to support it. Now, it’s about many more applications and services supporting these open standards to speed up this journey.       

It’s a massive effort for passwords to truly go away—to have 100% coverage across everything will take years and years, decades even, to finally get there. But when you have organizations like ourself, FIDO, Google, Microsoft and Apple helping to push these standards, and support them on all platforms and browsers , it is possible. It’ll take time, but, as I said, the technology is there today.       

And is passwordless authentication something that an organization can implement right away, or should they start with other authentication methods like MFA and SSO, and progress from there?

It depends on what they have implemented within the organization. I think that the most important step is turning on MFA. Before you’re looking at this passwordless journey, make sure that you’re at least addressing the MFA requirements within your organization.

And we like to say that there are a lot of types of MFA, but not all are created equal. That’s a very important thing to realize—that there are different tiers. There’s SMS, which is extremely hackable, there are push notifications, time-based codes, authenticator apps—those can all be hacked in many different ways. Someone could access someone else’s phone or use simple social engineering, which we’re seeing a lot today, especially with dispersed workforces and users working remotely.

Now, we’re seeing a transition in the types of MFA people are required to use—and this has stemmed from an executive order from the White House, which requires the use of phishing-resistant MFA. Phishing-resistant MFA has been defined as smartcard, as well as modern FIDO-based authentication.

And the YubiKey is in a very unique position, because we support both. So, within an organization, you can be on this journey. You may have legacy Smart Card Systems, and then want to move to FIDO; YubiKeys can be part of that full journey with your organization, so you don’t have to go out and purchase new keys or update your infrastructure. Because they are multi-protocol and multi-function, these same devices will work with you as your organization’s security infrastructure evolves.

What is your final piece of advice to organizations that want to implement an identity and access management solution that’s both secure and user-friendly?

YubiKeys are natively supported by all of the top IAM platforms, including Okta, Ping, Microsoft, and many others. The first step is making sure that you’re going beyond a basic username and password, and understanding the security risk of implementing a weaker form of MFA. We can think of it in the context of the story of the three little pigs. The straw house, that’s going to be SMS. The house built from wood could be a TOTP. And the brick house is phishing-resistant, hardware-based MFA—smart cards and FIDO. An organization should evaluate what their tech stack is, understand that you can—in most cases—add a higher level of security, and then figure out how you want to deploy MFA across your organization. The industry has shown that hardware security keys are the strongest way to go. The secrets are bound to the YubiKey, and there’s nothing extractable. If someone finds a YubiKey, they can’t pull any information from it. And you’re able to use a single YubiKey across hundreds of different services, having that same secure, simple user experience, and high level of security, across all of them.

Thank you to Ronnie Manning for taking part in this interview. You can find out more about Yubico’s secure modern multi-factor authentication solutions via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.