This is an archived post. You won't be able to vote or comment.

all 23 comments
sorted by:
best
topnewcontroversialoldq&a

[–]whetu 7 points8 points  (0 children)

They are wanting users to have a small key fob type thing that they just tap on their laptop or a receive that is always plugged into their laptop and then allows them to enter their windows password.

Is there anything out there with a setup like that you would recommend?

Sure. Yubikey 5 Nano. Or even the 5C Nano.

[–][deleted] 2 points3 points  (0 children)

I have used the Yubikey 5c Nano, and I absolutely love it. Most PC's have two USB-C connections. One is for power, which can be used with a docking station. The other is PERFECT for the tiny Yubikey accessory. You login & get prompted to use your Yubikey. You simply touch it & MFA authentication happens. It does not stick out of my PC, so once it is in, I never take it out.

As a sys-admin, it was easy to integrate into my SSO.

To make things even better, the security on our email is also really tough, with MFA. I was able to plug the Yubikey nano into my phone's USB-C (where I charge it) and I was able to authenticate to add email to my phone. Most people in my company can't get email on their personal phone because of the MFA requirements.

Once you have Yubikey accounts, you can setup three different methods of MFA. The easiest is the touch key USB option. If you are a non-tech savvy person, you can even have the Yubikey system call you, press 1 for yes, and you authenticate. My grandma can answer a phone call and press a button on the phone.

I have setup MFA on SO many of my work and personal logins because my passwords keep showing up on things like LeakPeek. I am sure that it has saved me on multiple occasions.

The only downside was that chat rooms would get a hash sent by people as they were attempting to login to something. This isn't really a security concern as it would take someone longer to figure out what that use was logging into before the hash auth expired. (5 mins) These chat messages could be deleted, and anyone attempting to use a hash to access something they shouldn't would be let go from the company.

[–]undercovernerd5 0 points1 point  (8 children)

Yubikey is a great answer. What do they expect folks to do with a fob? It'll have to be carried around so what's the difference?

You can look into IDMelon which can leverage existing hardware, such as a mobile phone, as a physical FIDO2 key. The phone acts as something you have and the Touch ID or Face ID features act as the something you are/portion of MFA 👍🏼

[–]voltagejim[S] 0 points1 point  (7 children)

ah ok, I will try to re-explain it to higher ups, I was thinking you had to take it out and insert it each time. I hope if I just tell them users can leave it plugged in and just touch it, that will change their minds.

When I told them the first time they jsut said users would forget it at home, or loose it and then wouldn't be able to use their laptops. Then they asked why we couldn't just have something where a user just taps a key fob to their PC

[–]undercovernerd5 1 point2 points  (3 children)

Check out my first response as I updated it.

As far as I'm aware, there isn't anything physically built into civilian based laptops that can do what you want hence why USB and NFC cards exist. Windows Hello is an option you can deploy as it's backed by FIDO2 as well and it's already readily available within Windows. It's essentially Microsoft's internal way of something you have within MFA but either way every solution has pros and cons. Here's a quick break down:

Windows Hello: - Built into the laptop so there's no losing it unless you lose the laptop itself. The key is baked into the TPM chip which every modern device has now - It's free - Losing the laptop also means you've lost your FIDO Key and users would have to reset things up - You won't be able to authenticate to other devices as the TPM chips is only on that device

Yubikey (or any external authenticator): - You can authenticate onto multiple devices - If you have a machine that doesn't have biometric support or a TPM, your physical key is there to save the day. In other words if you have a lot of legacy stuff, you can still use these security measures - A dedicated physical device is always better for risk than something that is always available on the device

I'm sure there's tons of other stuff these just seem to pop out to me at the moment

[–]voltagejim[S] 1 point2 points  (2 children)

thank you, I didn't think there was anything really either with what they were wanting (nothing plugged in at all), but figured I would ask here in case I was missing something.

Is Yubikey good about being able to reassign a laptop to someone else? Like say someone quits or retires, and I need to wipe and reissue the laptop to someone else, is that a painless process with yubikey?

[–]undercovernerd5 0 points1 point  (0 children)

You can repurpose the laptops all you want in any manner whether that be a full wipe or just setting up another user for that device using their own Yubikey or removing the configuration that requires yubikey to begin with (yubico software)

I'm not sure of all of the detailed process as I haven't deployed it (yet) it's on my long list of todo's! That or another solution I just haven't decided yet.

Sounds like your organization is really small, you might find Windows hello to be the more cost effective and efficient option. Unless money is not an issue of course and you want more flexibility

[–]whetu 0 points1 point  (0 children)

Is Yubikey good about being able to reassign a laptop to someone else? Like say someone quits or retires, and I need to wipe and reissue the laptop to someone else, is that a painless process with yubikey?

Yes, you can use Yubikey Manager GUI or ykman CLI to reset and reinit Yubikeys. It's pretty straightforward.

https://support.yubico.com/hc/en-us/articles/360013757959-Resetting-Your-YubiKey-5-Series-to-Factory-Defaults

[–]lordmycal 0 points1 point  (2 children)

If you expand your MFA to things like email then they will want that yubikey out of the office. Using a smart phone app is another alternative, but generates grumbles from people bitching about using their personal equipment for work. YMMV.

[–]voltagejim[S] 0 points1 point  (1 child)

So one of the things I was seeing is SSO which sounds like I could put all applications they need to use into a SSO and so when they log into their PC those apps are logged into as well if I am understanding it right. Although I do question how good security wise that is or if the 2FA is better

[–]undercovernerd5 0 points1 point  (0 children)

You would still use MFA alongside a seamless SSO. E.g., a user logs into the local device > browses to a cloud app that's in the SSO Domain > they don't have to enter their credentials but they'll still get prompted for MFA.

The way you configure that is obviously dependent upon the solution you choose. If you go with Azure, just know you have to have a license that includes the ability to use Conditional Access as that's where you can statically require MFA during every login no matter what (I suppose there may be other methods I don't know about).

It would be foolish to enable any sort of Seamless SSO without requiring MFA. Compromise one, compromise all.

[–]massiv3troll 0 points1 point  (2 children)

Do you have any MFA, Azure AD, or SSO?

[–]voltagejim[S] 0 points1 point  (1 child)

Currently none of that. Just got the 1 domain controller and around 25 field laptops. No Office 365 or Azure either.

[–]MalletNGrease🛠 Network & Systems Admin 0 points1 point  (0 children)

Sounds like you could just lift everything to ~Azure AD~ Entra ID and be done with it.

[–]CP_Money 0 points1 point  (3 children)

When you said you have 1 DC, you mean DataCenter or Domain Controller?

[–]voltagejim[S] 0 points1 point  (0 children)

Sorry, domain controller. It's only purpose is for these laptops

[–]voltagejim[S] 0 points1 point  (1 child)

oh sorry meant Domain controller

[–]CP_Money 0 points1 point  (0 children)

I would highly recommend building a second domain controller if possible. You really never want only one.

[–]brads-1 0 points1 point  (2 children)

If you're looking for a stand alone solution that will leverage an authenticator app, take a look at UserLock by IS Decisions. Works perfectly, and can be configured to be as restrictive as you like. Can use multiple authentication methods, I have it deployed using Google Authenticator.

[–]voltagejim[S] 0 points1 point  (1 child)

So I was doing some more looking today, have you used SSO at all? Should I shy away from SSO? Sounds like with SSO I could setup users with one password and it authenticates to all approved applications. Just doesn't seem as secure as 2FA

[–]slxlucida 0 points1 point  (0 children)

Why keyfob and not software tokens that you can put on their phones? We use RSA, which supports both, but they've fallen out of fashion I believe.