This article explains how Yubikeys fit in with the SurePassID SPAS (MFA) server system
Overview of SurePassID Authentication Server (SPAS) and Windows Logon Manager (WLM)
SPAS and WLM provide secure and versatile authentication solutions for Windows environments. These platforms support various authentication methods, including the advanced capabilities of YubiKeys, to ensure secure access to systems and data.
YubiKey acts as a physical authentication device that complements the security features of SPAS and WLM. It offers support for both industry standard OATH OTP and the emerging FIDO2 standard, enabling a range of authentication options from traditional 2FA to modern passwordless (passkey) logins as support for this becomes more prevalent.
Currently, YubiKey can be used with SPAS and WLM as a standard OATH OTP device for secure 2FA as well as a FIDO as second factor option utilizing an NFC reader attached to the computer. Looking ahead, FIDO2 support will enable passwordless (passkey) authentication, providing a seamless and even more secure user experience.
The integration process involves configuring YubiKey devices as standard OATH OTP devices, creating a seed file for the device, and uploading the seeds for the devices to SPAS, where they can be assigned to the user in SPAS. Optionally, A FIDO keyring can be added to the user’s account in SPAS and the relevant FIDO keys registered as second factor keys for use with WLM. They can also be registered as “passwordless (passkey)” for future support with our WLM and for passwordless (passkey) login to the current versions of SPAS while also providing the second factor option for Windows logins currently.
The combination of SPAS, WLM, and YubiKey provides a comprehensive security solution. This integration offers flexibility in authentication methods, enhances security against unauthorized access, and prepares organizations for adopting passwordless (passkey) authentication.
To utilize YubiKey with SPAS and WLM, users need devices with USB ports, an NFC or SmartCard PS/PC reader, and the SPAS software or SaaS service. The implementation involves registering the YubiKey with SPAS and configuring the preferred authentication method. Current shipping versions of the SurePassID WLM support contactless (NFC and SmartCard PS/PC) interfaces but not direct USB connections at this time. Direct USB connections can be used with the SPAS portal and other web based systems.
Adopting YubiKey within the SPAS and WLM framework significantly elevates security measures. With current support for OATH OTP and upcoming FIDO2 capabilities, organizations are well-equipped to face future security challenges.