Simplifying break glass account security with YubiKeys (2024)

Break glass accounts are crucial accounts that provide access to critical systems during a variety of emergencies. Microsoft’s recent announcement on the enforcement of multi-factor authentication (MFA) for Microsoft Entra ID sign-ins highlights the impact on break glass accounts and improved security postures: “We have heard your questions about break glass or ‘emergency access’ accounts. We recommend updating these accounts to use FIDO2 or certificate-based authentication (when configured as MFA) instead of relying only on a long password. Both methods will satisfy the MFA requirements.”

As a safety net during various emergencies, break glass accounts are important for scenarios including:

  • Network or Service Outage: When network connectivity or internet access is disrupted, preventing authentication over telephony transports and wireless networks.
  • Failure of Federation Services: When the identity provider offering federated authentication experiences a service disruption.
  • Privileged Role Member Unavailability: When members of privileged roles, such as the Global Administrator, have left the organization or are unavailable.
  • Privileged Access Management Tool (PAM) Unavailability: When PAM tools used to securely store access credentials for high-privilege users are unavailable due to disruption or maintenance.

However, the security of these accounts is often overlooked. This oversight can be addressed by leveraging device-bound passkeys residing in devices purpose-built for security such as YubiKeys, to achieve high assurance authentication. As we delve into the specifics of using YubiKeys for break glass accounts, it’s crucial to understand the compelling benefits they offer in enhancing account security.

See Also
FortiToken vs. Microsoft Authenticator vs. Yubico YubiKey ComparisonCisco Duo vs. Microsoft Entra ID vs. Yubico YubiKey Comparison

Why YubiKeys are a critical security tool for break glass accounts

One of the biggest advantages of YubiKeys is their ability to support passwordless authentication using passkeys. Passkeys eliminate the operational overhead of password management and reduce the risk of password-related security breaches. Passwordless authentication is not only more secure, but also more convenient – ensuring that access is both easy and secure during an emergency. Additional benefits include:

  • Phishing-resistant MFA backed by hardware
    • Passkeys stored on YubiKeys offer robust security through the FIDO2 protocol, providing phishing-resistant MFA. Unlike passwords that can be phished or stolen, device-bound passkeys on YubiKeys use public key cryptography binding the domain to the credential. Passkeys reside in the YubiKey hardware form factor and cannot be exfiltrated or remotely compromised as the private key never leaves the authenticator – ensuring the highest level of security for organizations.
  • Reduced service dependency footprint
    • Passkeys on YubiKeys operate independently of traditional MFA methods that rely on external systems, such as SMS or push notifications, which depend on network connectivity and telecommunication services. In cases where these services are disrupted, device-bound passkeys on YubiKeys ensure a reliable authentication method that remains unaffected by such dependencies.
  • Ideal for offsite storage
    • YubiKeys don’t contain moving parts and are designed to be simple and robust, with a solid-state construction that contributes to their reliability. They don’t require batteries or an external power source, as they draw power directly from the USB or NFC connection when in use, making them ideal for offline storage and offsite locations.

With a clear understanding of why YubiKeys are a critical security tool for break glass accounts, let’s now explore the practical steps to set them up effectively. Implementing these steps will ensure that your emergency access accounts are both secure and readily accessible when needed.

Setting up YubiKeys for break glass accounts

  1. Create a Security Group: Start by creating a security group specifically for your break-glass accounts. Assign the Global Administrator role to this group.
  2. Use Cloud-Only accounts: Create accounts native to identity and service provider platforms ensuring they aren’t federated or synchronized.
  3. Register two YubiKeys: Each break-glass account should have two YubiKeys registered to ensure redundancy.

Some additional best practices for security of accounts include:

  • Policy exclusions: Make sure your policies do not block access to break glass accounts which will require unimpeded access during an emergency.
  • Secure storage: Store YubiKeys in secure, separate locations to prevent unauthorized access.
  • Document procedures: Clearly document how to access and use break glass accounts and train your team on these procedures.
  • Regular testing: Regularly test the processes to ensure they work as expected during an emergency.

Additionally, consistently monitor activities related to break glass accounts and set up alerts for any changes or usage. Periodically review who has access to ensure that only authorized personnel can use these accounts. This helps maintain the security and integrity of your emergency access procedures.

YubiKeys provide an excellent solution for securing break glass accounts, with their support for passwordless authentication, strong phishing-resistant MFA, reduced service dependency footprint, and solid-state design ideal for offsite storage. By deploying YubiKeys and following recommended practices, you can ensure that your emergency accounts are always secure and ready for use. Regular training, rigorous testing, and continuous monitoring ensure that everything remains in order, giving you confidence that your critical systems can be accessed during a crisis event.

Don’t miss our newest blog detailing the Microsoft MFA Mandate and the recently announced Microsoft Entra ID FIDO2 provisioning APIs that give organizations the option to develop or leverage alternative administrator-led provisioning clients that support the setup of YubiKeys. Be sure to also check out our recent blog post here for more info on all the ways you can incorporate YubiKeys across the Microsoft ecosystem.

For any questions and to learn how to get started implementing YubiKeys for your business, contact our team here.

Simplifying break glass account security with YubiKeys (2024)

References

Top Articles
Marquette Gas Prices
Kbj Ad1Yn2
Koopa Wrapper 1 Point 0
Frank Lloyd Wright, born 150 years ago, still fascinates
Lifebridge Healthstream
Erika Kullberg Wikipedia
Math Playground Protractor
Do you need a masters to work in private equity?
877-668-5260 | 18776685260 - Robocaller Warning!
Words From Cactusi
Campaign Homecoming Queen Posters
Tiraj Bòlèt Florida Soir
Little Rock Arkansas Craigslist
Oxford House Peoria Il
Craigslist Boats For Sale Seattle
Where does insurance expense go in accounting?
Studentvue Columbia Heights
60 X 60 Christmas Tablecloths
Epro Warrant Search
Ruben van Bommel: diepgang en doelgerichtheid als wapens, maar (nog) te weinig rendement
The Pretty Kitty Tanglewood
Traveling Merchants Tack Diablo 4
Selfservice Bright Lending
What Channel Is Court Tv On Verizon Fios
Hampton University Ministers Conference Registration
11 Ways to Sell a Car on Craigslist - wikiHow
Wonder Film Wiki
Biografie - Geertjan Lassche
Criglist Miami
Stephanie Bowe Downey Ca
Salemhex ticket show3
The Posturepedic Difference | Sealy New Zealand
Christmas Days Away
Laveen Modern Dentistry And Orthodontics Laveen Village Az
Davita Salary
Have you seen this child? Caroline Victoria Teague
Giantess Feet Deviantart
Jr Miss Naturist Pageant
Frostbite Blaster
To Give A Guarantee Promise Figgerits
What Does Code 898 Mean On Irs Transcript
Publictributes
Cheetah Pitbull For Sale
Wrigley Rooftops Promo Code
Ramsey County Recordease
The best bagels in NYC, according to a New Yorker
Worcester County Circuit Court
Florida Lottery Powerball Double Play
Congruent Triangles Coloring Activity Dinosaur Answer Key
How To Connect To Rutgers Wifi
WHAT WE CAN DO | Arizona Tile
Laurel Hubbard’s Olympic dream dies under the world’s gaze
Latest Posts
How To Dash On Xbox Blox Fruits
Setx Sports
Article information

Author: Ouida Strosin DO

Last Updated:

Views: 5856

Rating: 4.6 / 5 (76 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Ouida Strosin DO

Birthday: 1995-04-27

Address: Suite 927 930 Kilback Radial, Candidaville, TN 87795

Phone: +8561498978366

Job: Legacy Manufacturing Specialist

Hobby: Singing, Mountain biking, Water sports, Water sports, Taxidermy, Polo, Pet

Introduction: My name is Ouida Strosin DO, I am a precious, combative, spotless, modern, spotless, beautiful, precious person who loves writing and wants to share my knowledge and understanding with you.