Simplifying break glass account security with YubiKeys (2024)

Break glass accounts are crucial accounts that provide access to critical systems during a variety of emergencies. Microsoft’s recent announcement on the enforcement of multi-factor authentication (MFA) for Microsoft Entra ID sign-ins highlights the impact on break glass accounts and improved security postures: “We have heard your questions about break glass or ‘emergency access’ accounts. We recommend updating these accounts to use FIDO2 or certificate-based authentication (when configured as MFA) instead of relying only on a long password. Both methods will satisfy the MFA requirements.”

As a safety net during various emergencies, break glass accounts are important for scenarios including:

  • Network or Service Outage: When network connectivity or internet access is disrupted, preventing authentication over telephony transports and wireless networks.
  • Failure of Federation Services: When the identity provider offering federated authentication experiences a service disruption.
  • Privileged Role Member Unavailability: When members of privileged roles, such as the Global Administrator, have left the organization or are unavailable.
  • Privileged Access Management Tool (PAM) Unavailability: When PAM tools used to securely store access credentials for high-privilege users are unavailable due to disruption or maintenance.

However, the security of these accounts is often overlooked. This oversight can be addressed by leveraging device-bound passkeys residing in devices purpose-built for security such as YubiKeys, to achieve high assurance authentication. As we delve into the specifics of using YubiKeys for break glass accounts, it’s crucial to understand the compelling benefits they offer in enhancing account security.

Why YubiKeys are a critical security tool for break glass accounts

One of the biggest advantages of YubiKeys is their ability to support passwordless authentication using passkeys. Passkeys eliminate the operational overhead of password management and reduce the risk of password-related security breaches. Passwordless authentication is not only more secure, but also more convenient – ensuring that access is both easy and secure during an emergency. Additional benefits include:

  • Phishing-resistant MFA backed by hardware
    • Passkeys stored on YubiKeys offer robust security through the FIDO2 protocol, providing phishing-resistant MFA. Unlike passwords that can be phished or stolen, device-bound passkeys on YubiKeys use public key cryptography binding the domain to the credential. Passkeys reside in the YubiKey hardware form factor and cannot be exfiltrated or remotely compromised as the private key never leaves the authenticator – ensuring the highest level of security for organizations.
  • Reduced service dependency footprint
    • Passkeys on YubiKeys operate independently of traditional MFA methods that rely on external systems, such as SMS or push notifications, which depend on network connectivity and telecommunication services. In cases where these services are disrupted, device-bound passkeys on YubiKeys ensure a reliable authentication method that remains unaffected by such dependencies.
  • Ideal for offsite storage
    • YubiKeys don’t contain moving parts and are designed to be simple and robust, with a solid-state construction that contributes to their reliability. They don’t require batteries or an external power source, as they draw power directly from the USB or NFC connection when in use, making them ideal for offline storage and offsite locations.

With a clear understanding of why YubiKeys are a critical security tool for break glass accounts, let’s now explore the practical steps to set them up effectively. Implementing these steps will ensure that your emergency access accounts are both secure and readily accessible when needed.

Setting up YubiKeys for break glass accounts

  1. Create a Security Group: Start by creating a security group specifically for your break-glass accounts. Assign the Global Administrator role to this group.
  2. Use Cloud-Only accounts: Create accounts native to identity and service provider platforms ensuring they aren’t federated or synchronized.
  3. Register two YubiKeys: Each break-glass account should have two YubiKeys registered to ensure redundancy.

Some additional best practices for security of accounts include:

  • Policy exclusions: Make sure your policies do not block access to break glass accounts which will require unimpeded access during an emergency.
  • Secure storage: Store YubiKeys in secure, separate locations to prevent unauthorized access.
  • Document procedures: Clearly document how to access and use break glass accounts and train your team on these procedures.
  • Regular testing: Regularly test the processes to ensure they work as expected during an emergency.

Additionally, consistently monitor activities related to break glass accounts and set up alerts for any changes or usage. Periodically review who has access to ensure that only authorized personnel can use these accounts. This helps maintain the security and integrity of your emergency access procedures.

YubiKeys provide an excellent solution for securing break glass accounts, with their support for passwordless authentication, strong phishing-resistant MFA, reduced service dependency footprint, and solid-state design ideal for offsite storage. By deploying YubiKeys and following recommended practices, you can ensure that your emergency accounts are always secure and ready for use. Regular training, rigorous testing, and continuous monitoring ensure that everything remains in order, giving you confidence that your critical systems can be accessed during a crisis event.

Don’t miss our newest blog detailing the Microsoft MFA Mandate and the recently announced Microsoft Entra ID FIDO2 provisioning APIs that give organizations the option to develop or leverage alternative administrator-led provisioning clients that support the setup of YubiKeys. Be sure to also check out our recent blog post here for more info on all the ways you can incorporate YubiKeys across the Microsoft ecosystem.

For any questions and to learn how to get started implementing YubiKeys for your business, contact our team here.

Simplifying break glass account security with YubiKeys (2024)
Top Articles
10 Bourbons That Are Exclusively Sold Overseas - Tasting Table
Blanton's Single Barrel Red Takara Japanese Edition Review: A Bourbon Lover's Dream Unveiled - The Whisky Lady
Kmart near me - Perth, WA
Public Opinion Obituaries Chambersburg Pa
Melson Funeral Services Obituaries
Bashas Elearning
Kokichi's Day At The Zoo
Team 1 Elite Club Invite
How To Be A Reseller: Heather Hooks Is Hooked On Pickin’ - Seeking Connection: Life Is Like A Crossword Puzzle
Northern Whooping Crane Festival highlights conservation and collaboration in Fort Smith, N.W.T. | CBC News
Chuckwagon racing 101: why it's OK to ask what a wheeler is | CBC News
Craigslist In Fredericksburg
Free Robux Without Downloading Apps
Stream UFC Videos on Watch ESPN - ESPN
A.e.a.o.n.m.s
Whitley County Ky Mugshots Busted
Things To Do In Atlanta Tomorrow Night
OSRS Dryness Calculator - GEGCalculators
O'reilly's Auto Parts Closest To My Location
Jackson Stevens Global
Procore Championship 2024 - PGA TOUR Golf Leaderboard | ESPN
Vintage Stock Edmond Ok
Missouri Highway Patrol Crash
Unforeseen Drama: The Tower of Terror’s Mysterious Closure at Walt Disney World
Eine Band wie ein Baum
The BEST Soft and Chewy Sugar Cookie Recipe
Military life insurance and survivor benefits | USAGov
Academy Sports Meridian Ms
Mandy Rose - WWE News, Rumors, & Updates
14 Top-Rated Attractions & Things to Do in Medford, OR
Unreasonable Zen Riddle Crossword
3 Ways to Drive Employee Engagement with Recognition Programs | UKG
Tomb Of The Mask Unblocked Games World
Publix Daily Soup Menu
Fedex Walgreens Pickup Times
Cars And Trucks Facebook
Ark Unlock All Skins Command
Build-A-Team: Putting together the best Cathedral basketball team
Tokyo Spa Memphis Reviews
NHL training camps open with Swayman's status with the Bruins among the many questions
Myanswers Com Abc Resources
Indiana Jones 5 Showtimes Near Cinemark Stroud Mall And Xd
Lovely Nails Prices (2024) – Salon Rates
RECAP: Resilient Football rallies to claim rollercoaster 24-21 victory over Clarion - Shippensburg University Athletics
Mudfin Village Wow
Pixel Gun 3D Unblocked Games
Rite Aid | Employee Benefits | Login / Register | Benefits Account Manager
Secrets Exposed: How to Test for Mold Exposure in Your Blood!
Lightfoot 247
Gameplay Clarkston
Fetllife Com
Ravenna Greataxe
Latest Posts
Remove folder - MATLAB rmdir
Remove folder - MATLAB rmdir - MathWorks Italia
Article information

Author: Prof. An Powlowski

Last Updated:

Views: 5938

Rating: 4.3 / 5 (44 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Prof. An Powlowski

Birthday: 1992-09-29

Address: Apt. 994 8891 Orval Hill, Brittnyburgh, AZ 41023-0398

Phone: +26417467956738

Job: District Marketing Strategist

Hobby: Embroidery, Bodybuilding, Motor sports, Amateur radio, Wood carving, Whittling, Air sports

Introduction: My name is Prof. An Powlowski, I am a charming, helpful, attractive, good, graceful, thoughtful, vast person who loves writing and wants to share my knowledge and understanding with you.