You are drinking your coffee on Monday morning and read an email from your CEO explaining a recent directive to roll out YubiKeys as part of its 2FA (Two Factor Authentication) policy and the board would like a strategy from you, the IT Manager, on how you will quickly and efficiently roll out the YubiKeys to all the company’s 5,000 employees. Your initial thought is through a spreadsheet with employee name and device ID, but is that desirable or even possible?
On further analysis you can see that there are 10 main factors you need to consider when deciding on a system to help you to manage the initial deployment and ongoing maintenance of the YubiKeys, and a spreadsheet is just not going to cut it. Can you honestly say the following 10 points can be delivered by a spreadsheet?
- Inventory – Who has which YubiKey? How many YubiKeys are remaining? Are the YubiKeys active? What YubiKey key types do we have?
- Configuration – What can the YubiKey do? What do you want the YubiKey to do?
- Integration – Can the YubiKey integrate into Active Directory and our IAM and PAM systems?
- What certificates are loaded onto each YubiKey?
- Should the YubiKey have both FIDO and PKI certificates on the device?
- Do you have a record of when each certificate is due to expire?
- PIN Locked? How to unlock?
- Updates – How can you apply a new policy to the YubiKey without physically asking for all YubiKeys to be returned to IT and the knock-on effect to the business?
- Revocation – How do you revoke the certificates on the YubiKey and disable the YubiKey Itself?
- Can we add certificates to Keys already deployed?
- Replacement – lost or stolen YubiKeys? How do you manage the compromised key, ship a new YubiKey to the employee and apply all of the certificates required to that new YubiKey?
- Renewal – How do you replace expiring certificates on the YubiKey?
- How do you show an auditor all the processes you go through to enable/disable YubiKeys as part of a security audit for ISO9001 and CMMC?
- Can you do a full security audit?
- Can you prove that actions have been carried out and not just updated on a document?
- Usability – A new system must be easy to use and easy to delegate certain functions to staff/line managers to reduce the burden on the IT team
- Self Service – Don’t have a team big enough to manage thousands of YubiKeys in multiple locations and countries. Self Service process to also have the ability to apply advanced capabilities to YubiKey devices during the key enrolment.
The answer to all of these questions is to use the MyID 12.4 CMS. The MyID Credential Management System has been designed to make deploying and managing YubiKeys at scale a simple and straightforward process. With advanced features such as applying advanced capabilities to a YubiKey device at the point of issue as well as being able to Purchase a standard YubiKey and deploy the capabilities to the YubiKey which suit your own organisations policies.
MyID supports YubiKey Security Key Series, YubiKey 5 series, YubiKey 5 FIPS series and the YubiKey Bio Series – FIDO edition. MyID 12.4 added the following YubiKey 5 features, updated cryptographic key support (AES), Enable/Disable device capabilities and the ability to set the device management key to prevent changes to device capabilities.
So instead of tying up your resources managing your YubiKeys on a spreadsheet, let MyID make it simple for you. Leaving you free to get on with the day job.
Download our YubiKey feature guide to understand how MyID can help to manage a YubiKey deployment
Want to see MyID in action and see for yourself the system managing a YubiKey deployment? Arrange a demo now to see how MyID can help with your YubiKey Deployment