Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

How to Use Yubikeys for VPN

Key Points
  • Using Yubikeys with digital certificates for VPN authentication improves security enormously by offering strong protection against cyber attacks and removing old password practices.
  • Utilizing digital certificates with smart cards like Yubikeys requires a Public Key Infrastructure to manage the certificate lifecycle.
  • SecureW2's Managed PKI streamlines creating and managing certificates, allowing organizations to establish secure VPN connectivity quickly.

Yubikeys are a useful and secure tool for protecting yourself from data theft. They add a layer of authentication and can be used with other authentication methods to further protect your data.

While Yubikeys are already a powerful multi-factor authentication (MFA) device, using them in conjunction with certificates to authenticate VPN login, allows you to work from home while maintaining security best practices for your organization’s private data. A majority of IT security (55%) would prefer a method of protecting accounts that don’t involve passwords, luckily SecureW2 has developed an industry-first solution for enrolling security keys for digital certificates, plus it comes with a RADIUS server that was designed for security key certificate-authentication, ensuring you have the highest quality security in any situation. See how easy it is to use certificates from one of our customer stories.

Advantages of Using Yubikey For VPN

Using a security key (like a Yubikey) with certificates to access VPN has benefits both to the individual and the organization as a whole.

Certificates are a convenient way to eliminate the need for antiquated credentials plus, you can easily keep a Yubikey on hand to access your VPN with the same ease as using passwords, but much more securely. Certificates also add the following benefits:

  • Certificates are tied to the identity of a person or device, unlike credentials, meaning you know exactly who is using the network and for what. A person can’t ‘lend’ their coworker their certificate to log in.
  • Certificates are the best protection against over-the-air attacks like the man-in-the-middle attack. Certificates are virtually impenetrable, unlike passwords. Even if a bad actor managed to intercept your data during login they would still lack the vital private key, rendering the attack useless.
  • Certificates reduce the burden on your IT department because they eliminate the need for password-reset policies, which inevitably cause massive confusion every 60 or 90 days. Certificate lifetimes can be up to 10+ years.
  • Certificates also have a significant improvement in user experience over OAuth. If you lose your Yubikey, OAuth requires you to re-setup your Yubikey for every single application. Certificates only require you to re-enroll for a client certificate, and then everything works again.

A physical security token makes a VPN virtually impossible to hack through standard tactics. The asymmetric cryptographic foundation is virtually uncrackable and data thieves are unable to steal a physical device wirelessly.

How To Set Up Certificate-Based VPN Authentication

Many organizations find generating and managing certificates to be a major hassle, however, SecureW2’s Managed PKI comes with a state-of-the-art management portal that allows certificates to be handled with ease. In order to set up certificate authentication for our VPN, we need to create a Certificate Authority (CA) and import it onto our Firewall/VPN Gateway/RADIUS Server. Here’s how to create certificate authorities with SecureW2:

  1. Under PKI Management select certificate Authorities
  2. select Certificate Authority
  3. Choose Intermediate CA under Type
  4. Select the corresponding Root CA under Certificate Authority
    1. You can easily create a new Root CA in Add Certificate Authority if needed
  5. Choose your desired setting underGenerate Via
    1. Internal System: The intermediate CA private key and certificate is stored in the cloud. This CA can then be used in the Enrollment policy to sign client certificates
    2. Certificate Signing Request: Allows administrators to upload a Certificate Signing Request and then get it signed by the Root CA
    3. Browser: The intermediate CA private key and certificate are not stored in the cloud portal, and are allowed to be downloaded. This CA cannot be used for device enrollment and will be used for SSL inspection
  6. Choose a name and expiration date then save

Next, go to your RADIUS server or firewall management portal and import the intermediate CA.

How to Use Yubikey For Certificate VPN Authentication

To use a Yubikey for VPN authentication, you need to get a unique client certificate on your PIV-Compatible Yubikey. The certificate will reside on the Yubikeys Smart Card, where it will be used for VPN authentication. Getting the certificate on the Yubikey is really simple because SecureW2 allows end-users to easily enroll their Yubikeys for certificates.

With your Yubikey inserted into the computer, run the SecureW2 onboarding client, enter in your PIN/PUK and your directory credentials and you’re done!. Below is a GIF summary of the process – it only takes a couple of minutes!

Easy VPN Yubikey Authentication with SecureW2

Putting your network’s security at the forefront allows you to put your mind at ease. Ready for certificates to expand the ability of your Yubikeys and enhance your security? Check out how SecureW2 works with smart cards on our solutions page.

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

How to Use Yubikeys for VPN