Lifecycle Consideration for Security Key Deployments
2 likes648 views
This document discusses lifecycle considerations for security key deployments. It covers account registration, device registration, and account recovery. For account recovery, it recommends using multiple security keys to allow for self-recovery. It also recommends expanding existing identity proofing mechanisms used during initial registration to be used during account recovery. The document discusses both self-service and assisted account recovery options.
Lifecycle Consideration for Security Key Deployments
- 1. ©2019Yubico © 2019 Yubico Lifecycle Considerations for Security Key Deployments Jerrod Chong SVP Product, Yubico FIDO Authentication Seminar Austin, Texas - Jan 28, 2019
- 3. ©2018Yubico Most common recovery method 1. Install App 2. Sign in with Username/Password (fingerprint won’t be registered) 3. Wait for SMS OTP code 4. Enter OTP code (switch between text app and Mobile App) 5. (Menu popup) Select to add this device as trusted 6. (Menu popup) Register Touch ID 7. (Menu popup) Accept/Decline Touch ID warning* 8. Set Touch ID / Acknowledge addition 9. (Menu popup) Respond to notification request 10. Exit new user walkthrough 11. Open menu 12. Select Profile/Settings 13. Select manage devices 14. Click All devices 15. Find old device in list click remove 16. Acknowledge removal Why Security Keys?
- 4. ©2019Yubico Security Keys Strengthen Account Lifecycle ● Roaming authenticator bootstraps devices ● Security keys eliminates the need for weaker recovery options like passwords and OTP codes ● Multiple roaming authenticators allow for self-recovery ○ Recommend to have 2 (or more) roaming authenticators (car, house, etc.) ● Easily integrates into an existing recovery framework 4
- 5. ©2019Yubico 5 Account Registration Device Registration Account Recovery Security Key Deployment
- 6. ©2019Yubico 6 Account Registration Security Key Deployment Administrator Enrolls User Consistent, managed experience Use Self-Enrolls Ease-of-use reduces pitfalls Device Registration Initial enrollment Start with enrolling 1st security key Platform Authenticators Enroll built-in Platform Authenticators Backup Enroll backup security keys Account Recovery Recover using backup security keys Self-service Maintain authenticator assurance level FIDO recommendation Re-run identity proofing / user onboarding mechanisms Self-service or Assisted FIDO recommendation
- 7. ©2019Yubico 7 Account Registration Security Key Deployment Administrator Enrolls User Consistent, managed experience Use Self-Enrolls Ease-of-use reduces pitfalls Device Registration Initial enrollment Start with enrolling 1st security key Platform Authenticators Enroll built-in Platform Authenticators Backup Enroll backup security keys Account Recovery Recover using backup security keys Self-service Maintain authenticator assurance level FIDO recommendation Re-run identity proofing / user onboarding mechanisms Self-service or Assisted FIDO recommendation
- 8. ©2019Yubico 8 Account Registration Security Key Deployment Administrator Enrolls User Consistent, managed experience Use Self-Enrolls Ease-of-use reduces pitfalls Device Registration Initial enrollment Start with enrolling 1st security key Platform Authenticators Enroll built-in Platform Authenticators Backup Enroll backup security keys Recover using backup security keys Self-service Maintain authenticator assurance level FIDO recommendation Re-run identity proofing / user onboarding mechanisms Self-service or Assisted FIDO recommendation Account Recovery
- 9. ©2019Yubico ● Vendor specific ○ Expensive to maintain and not consistent across services ● Account Recovery using email link or SMS or OTP codes ○ Prone to phishing attacks ● Account Recovery using Automated Remote Identity Proofing ○ NIST identifies identity proofing mechanisms in its 800-63A Digital Identity Guidelines ○ ID Proofing varies greatly from region to region, country to country 9 Self-Service Account Recovery
- 10. ©2019Yubico ● Enterprise / B2B / B2B2B ○ Account Recovery with In-Person Agent ○ Account Recovery via phone/video call to IT support with visual ID check/manager approval ● B2C / Consumer ○ Delegated recovery (Dial a friend) ○ Account Recovery with Logistics Based Solutions after in-person verification or remote agent proofing 10 Assisted Account Recovery
- 11. ©2019Yubico ● Register Multiple Security Keys ○ Allow users to enroll as many security keys as possible ○ Maintain assurance level, minimize complexity, reduce recovery time and help desk costs ● Expand existing identity proofing / user onboarding mechanisms for recovery ○ Have Specific Recovery Flows based on who, when, how user was on-boarded and type of device enrollment 11 Security Key Deployment Summary
- 12. ©2018Yubico 12 Resources FIDO Recommendations Account Recovery Best Practices whitepaper Coming Soon! Guidelines NIST 800-63A Digital Identity Guidelines https://pages.nist.gov/800-63-3
- 13. ©2019Yubico © 2017 Yubico 13