One of the features of new Yubikeys is that they can perform “attestation”, which gives them the potential to be even more powerful in terms of protecting your data.
In coordination with Yubico, SecureW2 has improved on the native attestation feature, making it easier to implement and giving it more features. Read on to learn about what Yubikey attestation is and how you can use it.
What is Yubikey Attestation?
Attestation means the same thing in cybersecurity as it does in the legal world – it’s a signature that verifies the origin of a document, or in this case, a digital certificate.
Attestation for digital certificates is usually performed on the device that the certificate is being issued to. That’s a critical component of attestation because the only time digital certificates are vulnerable to being compromised is when they are being distributed to client devices. On-device attestation proves that the certificate was generated locally and is uncompromised.
Of course, if it were that easy, all device certificates would be attested automatically. In order to generate and attest a legitimate digital certificate you need to have a secure cryptoprocessor such as a hardware security module (HSM) or PIV-enabled smartcard on the device itself, as is the case with several Yubico products.
Yubico’s Native Attestation Features
Yubikey 4.3 and newer all come with the ability to attest their asymmetric key natively, but using the feature takes a bit of legwork.
All attestation-compatible yubikeys come preloaded with an X.509 certificate in key slot f9 which is only to be used for verifying (attesting) keys and certificates generated on the device. This preexisting certificate is signed by the Yubico PIV CA, but it can be overwritten with your organization’s own attestation certificate if needed.
In order to use the attestation feature, you have to manually repeat the piv-action-tool commands for each certificate you want to attest on each Yubikey. Note that clearing or resetting a Yubikey does not remove the attestation certificate.
Yubico’s attestation documentation can be found here.
SecureW2 Enhanced Yubikey Attestation
As a Yubico Partner, SecureW2 has developed several solutions that advance the security and convenience offered by Yubikeys. Expanding on their attestation feature by integrating it with our robust certificate management platform was a natural next step.
Whereas the native Yubikey certificate attestation requires manual command line verification for each key or certificate, our solution makes the process scale much better through an intuitive GUI.
Once users have gone through the simple enrollment process shown above, the SecureW2 management portal will be able to attest the private key was generated on the YubiKey.
The management platform also allows you to create certificate management policies which, like group policies, enable you to segment your users’ permissions and access levels based on a variety of criteria – such as whether or not their certificate is attested.
When you can attest a private key has been generated on a YubiKey, you can give the highest assurance levels possible and provide security clearance with the utmost confidence.
Upgrade Your Security With Yubikey Certificate Attestation
As an MFA device, Yubikeys are already a stellar method of strengthening your organization’s security, but it can be so much more.
Our industry-first Yubikey certificate management solution hugely expands both the range of services your Yubikey can authenticate and the security a Yubikey provides against threats internal and external. Use our platform to enroll certificates for desktop, Wi-Fi, and VPN logon with your Yubikey, or to create certificate policies for access management.
We have affordable options for organizations of every size. Click here to see our pricing.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Patrick Grubbs. Read the original post at: https://www.securew2.com/blog/yubikey-certificate-attestation/