Sciber launches YubiKey Locker to help organizations prevent physical attacks

yubico mellan

Today, Sciber LABS in collaboration with Yubico has released its first open source project to help organizations with the migration to a passwordless future. Sciber YubiKey Locker enables organizations to automatically logout or lock endpoints running the latest version of Windows 11, macOS and Ubuntu. 

The project is available today on GitHub using the following link:

We decided to focus on early and easy adoption with progressively increasing functionality, rather than complex integrations and configurations from the start. For instance, this first release only has the basic functionality of detecting if a YubiKey is physically removed. More advanced features such as identification of a specific key are not included today.


Background

Sciber is heavily focused on a passwordless future. With this in mind we began a software development project last fall to try to close the gap with smart card removal behavior and the use of YubiKeys in a modern corporate environment. In this post we will explain why we are releasing this and two of the most common use cases that we have seen that organizations can benefit from, completely free.

Use case 1 - Shared workstations 

Using shared workstations in stores or warehouses often causes employees to reuse passwords for logon.

Imagine a workstation where an employee handles sales to customers inside the store. When the employee uses the workstation a YubiKey is inserted and the employee can logon/unlock using the pin. Today, upon removal of the key, the user is not logged out or locked automatically since this feature is not yet implemented in Windows. By using Sciber YubiKey Locker a user can be logged out by just removing the key and the next employee can do a secure logon by inserting another personal YubiKey. For companies that use a shared account instead, and simply locks the computer, this means that any password must either be communicated to all users and if it is compromised - can be used by anyone for physical access.

Instead of sharing passwords and accounts, one can obtain a higher level of security with a better experience for the end user. 

Use case 2 - Locking the endpoint upon removal of the YubiKey

Quite often policies are communicated to co-workers that endpoints (laptops, workstations) should be locked when you leave your computer unattended. By simply setting the policy to lock the machine after the YubiKey is removed (similar to smart card removal behavior) one can safely transition to YubiKeys instead of smart cards and obtain the same level of security - locking the machine when the key is removed. This makes it easier for end users to simply remove the YubiKey to lock the endpoint after a number of seconds, and thus reducing the physical attack surface.

How can you manage the transition?

Modern environments that are using a MDM for endpoint control can use either Active Directory GPO's or Intune policies to roll out Sciber YubiKey Locker and set action upon removal to either lock, logout or do nothing.  This means that you can centrally govern the behavior of removal of a key down to machine level and make sure that your users can experience lock or logout in a simple way.

Why are we releasing this?

There are many other projects and software solutions that do similar things, but few are as complete, open source and free to use.

We hope with our project we can help organizations to move to a passwordless future and close the gap on physical attacks to areas that are prone to these. Sciber can help organizations with rollout projects if they are interested and with the MIT license the software also allows for companies to further enhance it.

 

Statement from Yubico

"Similar to Yubico's goal of making the internet safer for everyone, Sciber's mission from day one was to bring Zero Trust principles to provide their clients with robust protection against evolving cyber threats and securing their digital assets with the utilization of existing technologies. As a pioneer in phishing-resistant Multi-factor Authentication hardware and an integral part of a Zero Trust model, Yubico is happy to partner with Sciber as they help to drive FIDO2 adoption across their existing and growing customer base.

At Yubico we often help organizations transition from legacy multi-factor authentication (MFA) like smart cards to modern passwordless methods and form-factors, using our lineup of multi-protocol security keys. Now, through our partnership with Sciber, customers can augment our solutions by implementing a protocol-agnostic security key removal policy - that seamlessly integrates across various operating systems. This is important in meeting existing smart card customer security requirements (e.g. policies for smart card removal behavior), but also enables the forward-looking customer to bridge to modern protocols like FIDO2 passkeys, while staying compliant with their existing security policies. Moreover, the capability developed by Sciber enhances overall security posture for all organizations by locking the workstation or logging off the user when a YubiKey is not present, so it's a great capability not only for those customers sunsetting legacy methods or form-factors." 

Neil Bronsdon - Yubico Senior Channel Manager - Nordics & Baltics

Customer testimonial from evroc

"evroc is a fast growing company with the ambition to building a secure, sovereign and sustainable hyperscale cloud. We have chosen to use Apple products for all endpoints. It’s great for our overall security to be able to use Sciber YubiKey Locker to secure our endpoint access. It helps close the gap for enterprise use of the Mac and that of traditional environments (MS). 

Big shout out to Sciber for making YubiKey Locker available!"

evroc - https://evroc.com/ 

 

References