Yubico Forum

I'm not a tech person…don't know what OATH Multi-Factor-HOTP, 2 configurations, scan code mode, challenge-response, Client Software, Server Side Software, OpenID, etc. are…nor do I really need to know. In English, this is what I'm trying to accomplish…and I'm hoping someone can provide me with advice how best to accomplish it.

I have a corporate intranet that's only accessed by our 50-60 employees. The employees are mostly remote/home based. We run our intranet from a RackSpace cloud server. Currently, we just have our employees enter a username and password to gain access to the intranet. I want to enhance our security/access to the intranet and also insure employees don't "share" passwords.

I believe the Yubikey is my answer however I don't know what type of configuration I need. I would like the ability to disable the key if we terminate an employee. Can anyone advise what our best solution would be?

I'm also looking to hire someone that can implement this for us.

Thank you!

Ken

Using 2 factor authentication provides two critical pieces of information: something you know, something you have. Yubikey provides the second part of this equation.

If you deploy yubikeys to your employees, each yubikey would be associated with a given account and in addition to entering the username and password, the yubikey's OTP (one time password) would be requested at login.

If you are using unix systems, it would be possible to use the Yubikey PAM authentication module to easily get authentication against your services (you can use the yubicloud authentication service or have your own authenication server depending on your security requirements -- yubicloud usage is very easy to integrate).

Once this is setup, even if your employees are sharing passwords, they would also need to share the yubikey to access their account (in which case you would need to have a corporate policy against).

When an employee is terminated, if you are running the authenication server, you could delete their key or if you are using the yubicloud, you could remove the association of their key with their account -- easy enough to disable from the administrative side.