News

Easy emergency access with YubiKeys

Unkomplizierter Notfallzugang mit YubiKeys

Emergency access (“break-glass accounts”) are emergency access accounts that provide access to critical systems in various emergency situations. In the recent announcement Microsoft's statement on enforcing multi-factor authentication (MFA) for Microsoft Entra ID logins highlights the associated impact on emergency access and security improvements: " We've heard your questions about emergency access or 'break-glass' accounts. We recommend using FIDO2 authentication or certificates (if configured with MFA) for these accounts, rather than just a long password. Both methods meet MFA requirements."

Emergency access points are an important safety net in various situations. Here are some examples:

  • Network or service outage : If the network connection or internet access is interrupted, this prevents authentication over telephony and wireless networks.
  • Federation Services Failure : When the identity provider for federated authentication fails.
  • Absence of employees with privileged rights : When holders of privileged roles, for example the global administrator, have left the company or are unavailable.
  • Privileged Access Management (PAM) tool unavailability : When PAM (Privileged Access Management) tools used to securely store credentials for users with privileged access rights are unavailable due to disruptions or maintenance work.

However, the security of these accounts often receives too little attention. This does not have to be the case: There are device-bound passkeys in devices specifically designed to improve safety, such as YubiKeys , which can be used to reliably secure authentication. Regarding the specifics of emergency access with YubiKeys, the decisive factor is the enormous benefits in improving account security.

Why YubiKeys are an important security tool for emergency access

One of the biggest advantages of YubiKeys is passwordless authentication with Passkeys . Passkeys reduce the burden of password management and security breaches caused by exposed passwords. Passwordless authentication is not only more secure but also more convenient. In an emergency, you always have a simple and secure access option. Other benefits:

  • Phishing-resistant MFA with hardware support
    The passkeys stored on YubiKeys provide reliable security via the FIDO2 protocol and offer phishing-resistant MFA. Unlike passwords, which can be compromised through phishing or theft, device-bound passkeys on YubiKeys use public-key cryptography. The domain is bound to the credentials. The passkeys are stored in the YubiKey hardware and cannot be exfiltrated or remotely compromised. The private key never leaves the authenticator—providing the highest level of security for businesses.
    • Less dependence on external services
      Passkeys on YubiKeys operate independently of traditional MFA methods that rely on external systems such as SMS or push notifications and are therefore dependent on network connectivity and telecommunications. In the event of service outages, the device-bound passkeys on YubiKeys provide a reliable authentication method that is unaffected by such dependencies.
    • Ideal for external storage
      YubiKeys have no moving parts. Their simple and reliable design and solid-state construction contribute to their reliability. They require no batteries or external power source. Power comes directly from the USB or NFC connection—ideal for offline storage and remote locations.

    Now that we know why YubiKeys are an important security tool for emergency access, let's dive into the steps involved in setting them up. By following these steps, your emergency access accounts will be secure and easily accessible when needed.

    Setting up YubiKeys for emergency access

    1. Creating the security group : First, create a security group specifically for your emergency access. Assign this group the role of global administrator.
    2. Pure cloud accounts : Create native accounts for both your identity provider and service provider, eliminating the need for federated accounts and synchronization.
    3. Registering two YubiKeys : Two YubiKeys must be registered for each emergency access point to ensure redundancy.

    Here are some other best practices for account security:

    • Policy exclusions : Ensure your policies do not prevent access to your emergency access points. You must have unfettered access in an emergency.
    • Secure Storage : Keep your YubiKeys in secure, separate locations to prevent unauthorized access.
    • Document procedures : Carefully document access to emergency access points and their use. Train your team on these procedures.
    • Regular testing : Test processes regularly to ensure they work as expected in the event of an emergency.

    Additionally, continuously monitor activity around emergency access points. Be alerted if someone makes changes to them or uses them. Regularly review who has access. Only authorized employees are allowed to access them. This ensures the security and integrity of your emergency access procedures.

    YubiKeys are an excellent solution for securing emergency access: they support passwordless authentication, offer strong phishing-resistant MFA, reduce reliance on external services, and feature a semiconductor design ideal for off-site storage. With YubiKeys and these best practices, your emergency accounts are always secure and ready for use. Regular training, rigorous testing, and continuous monitoring ensure you're always on top of everything. This ensures access to your critical systems in the event of an emergency.

    Source: yubico.com

    Reading next

    Gestalte dein persönliches Cover für HID Omnikeys!
    YubiKeys jetzt wieder mit ID Austria kompatibel