Deployment Timeline
For this customer, cybersecurity isn’t just a small consideration in their day-to-day operations – it’s a whole way of life. They were founded with the goal of providing reliable consultation and solutions to numerous other organizations, but before they can recommend a solution for someone else, they believe in testing it thoroughly themselves.
With this goal in mind, the customer contacted SecureW2 in the spring of 2022. They had heard about SecureW2’s mission of making passwordless authentication available for all organizations, and they were ready to test what we had to offer. Within three weeks of initial contact, SecureW2 had worked with the company to deploy our Smart Card Management System, Cloud RADIUS, and PKI.
Challenges
Logging into anything – whether it’s a site, application, or device – has evolved far beyond what it was even several years ago. More and more industry titans are recommending measures like Multi-Factor Authentication (MFA) and certificates as opposed to credentials. This company, as an IT solutions provider, had its finger on the pulse of the cybersecurity world.
The company had learned that certificates make it possible to extend their already-existing policies from their Identity Provider, Okta, to their network authentication. Smart cards enhance security even more by providing a physical means with which to log into company devices.
Two challenges came up when it came to equipping their Yubikey smart cards and unmanaged employee devices with certificates. First, the customer discovered logging into a Mac device with a certificate on a smart card was difficult. Second, getting certificates onto unmanaged employee devices was an issue – not everyone had the technical expertise to configure their own devices properly for certificates.
Solution
Equipping all manner of devices with digital X.509 certificates is something SecureW2 excels at. Smart cards like Yubikeys are no exception. Our PKI is also designed to integrate with your infrastructure, including IDPs like Okta, so you can make the most of the policies you’ve already established.
Once our PKI was configured, getting certificates to all end-user devices was the next step. Fortunately, SecureW2 has designed powerful onboarding tools like JoinNow MultiOS that allow employees to configure their own devices for certificates in just a couple clicks. This ensured that everyone was able to enroll for certificates with absolutely no effort on the part of their IT team.
But perhaps the biggest challenge was using a certificate on a Yubikey to log into Mac devices. Our support team was able to create a custom solution on the backend that allowed the customer to use certificates on Yubikeys to log into their Macs. By installing a certificate onto Slot 9D of the Yubikey, the Yubikey is able to unlock the Mac’s keychain.
Of course, once devices and smart cards were successfully enrolled for certificates, the company still needed something for those certificates to authenticate to. The solution to that problem was our Cloud RADIUS, a cloud-native RADIUS service designed for use with passwordless authentication. Like our PKI, it can integrate with any major IDP. Thanks to the power of Identity Lookup, it can even check your IDP at the time of authentication to ensure the most current policies are applied.
Evaluating Success
Today, all employees at the organization enjoy the benefits of certificate-based authentication without the burdens of complex configuration. Enrolling for their certificates is completed through our self-service onboarding application in mere minutes. Afterward, logging into their devices – whether it’s a Windows device or Mac device – is as easy as plugging in their Yubikeys.
Each certificate is authenticated by Cloud RADIUS, which performs Identity Lookup in Okta at the time of authentication. This means that administrators can update policies in Okta and rest assured that those policies will be applied the next time someone authenticates to Cloud RADIUS
If there are any questions or issues about our solutions, our support team is waiting to assist the organization. When we followed up with the customer, we were pleased to hear the following: