One Identity Safeguard for Privileged Sessions 5.7.0 - YubiKey Multi-Factor Authentication - Overview

Introduction

This document describes how you can use the services of Yubico (YubiKey) to authenticate the sessions of your privileged users with One Identity Safeguard for Privileged Sessions (Safeguard for Privileged Sessions).

One Identity Safeguard for Privileged Sessions:

One Identity Safeguard for Privileged Sessions (Safeguard for Privileged Sessions) controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. Safeguard for Privileged Sessions is a quickly deployable enterprise device, completely independent from clients and servers — integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.

Safeguard for Privileged Sessions acts as a central authentication gateway, enforcing strong authentication before users access sensitive IT assets. Safeguard for Privileged Sessions can integrate with remote user directories to resolve the group memberships of users who access nonpublic information. Credentials for accessing information systems can be retrieved transparently from Safeguard for Privileged Sessions's local credential store or a third-party password management system. This method protects the confidentiality of passwords as users can never access them. When used together with YubiKey (or another multi-factor authentication provider), Safeguard for Privileged Sessions directs all connections to the authentication tool, and upon successful authentication, it permits the user to access the information system.

Integrating YubiKey with Safeguard for Privileged Sessions:

Safeguard for Privileged Sessions can interact with your YubiKey account and can automatically request strong multi-factor authentication for your privileged users who are accessing the servers and services protected by PSM. When used together with YubiKey, Safeguard for Privileged Sessions directs all connections to the YubiKey tool, and upon successful authentication, it permits the user to access the information system.

The integration adds an additional security layer to the gateway authentication performed on Safeguard for Privileged Sessions. YubiKey 4, YubiKey 4 Nano, and YubiKey NEO devices are pre-configured with the Yubico one-time password (OTP) (all other YubiKeys, except for the FIDO U2F Security Key by Yubico, also support Yubico OTP). The OTP will be used for authentication to the One Identity platform. This way, the device turns into a two-factor authentication token for the user. The one-time password is changed after every authentication and is generated using dynamic keys.

Meet compliance requirements

ISO 27001, ISO 27018, SOC 2, and other regulations and industry standards include authentication-related requirements, for example, multi-factor authentication (MFA) for accessing production systems, and the logging of all administrative sessions. In addition to other requirements, using Safeguard for Privileged Sessions and YubiKey helps you comply with the following requirements:

  • PCI DSS 8.3: Secure all individual non-console administrative access and all remote access to the cardholder data environment (CDE) using multi-factor authentication.

  • PART 500.12 Multi-Factor Authentication: Covered entities are required to apply multi-factor authentication for:

    • Each individual accessing the covered entity’s internal systems.

    • Authorized access to database servers that allow access to nonpublic information.

    • Third parties accessing nonpublic information.

  • NIST 800-53 IA-2, Identification and Authentication, network access to privileged accounts: The information system implements multi-factor authentication for network access to privileged accounts.

  • The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and is applicable to organizations keeping Personally identifiable information (PII) and offering goods or services to individuals based in the EU.

    YubiKey provides strong authentication to secure access to PII and comply with GDPR.

  • The Defense FAR Supplement (DFARS) clause went into effect on December 31, 2017, and is applicable to US Department of Defense (DoD) contractors to protect unclassified DoD information and minimize loss of information.

    The multi-protocol YubiKey meets DFARS requirements for strong authentication, and is the only hardware authentication solution to meet DoD contractor security requirements.

  • The revised Directive on Payment Services (PSD2) provides recommendations on standardized access to customer data and banking infrastructure, including draft regulatory technical standards specifying the requirements of strong customer authentication (SCA).

    Yubico and FIDO are playing active roles in the PSD2 framework with proven technology.


Was this topic helpful?

[Select Rating]



How Safeguard for Privileged Sessions and YubiKey MFA work together

Figure 1: How Safeguard for Privileged Sessions and YubiKey work together

  1. A user attempts to log in to a protected server.

  2. Gateway authentication on Safeguard for Privileged Sessions

    Safeguard for Privileged Sessions receives the connection request and authenticates the user. Safeguard for Privileged Sessions can authenticate the user to a number of external user directories, for example, LDAP, Microsoft Active Directory, or RADIUS. This authentication is the first factor.

  3. Outband authentication on YubiKey

    If gateway authentication is successful, Safeguard for Privileged Sessions connects the YubiKey server to check which authentication factors are available for the user. Then Safeguard for Privileged Sessions requests the second authentication factor from the user. Safeguard for Privileged Sessions supports authentication factors that are based on keyboard interaction such as Yubico-OTP, OATH-OTP, OATH-HOTP, and OATH-TOTP. For details on these authentication factors, see What is OATH?.

    For OTP-like authentication factors, Safeguard for Privileged Sessions requests the one-time password (OTP) from the user, and sends it to the YubiKey Validation Service for verification either running on premise or using the YubiCloud Validation Service.

  4. If multi-factor authentication is successful, the user can start working, while Safeguard for Privileged Sessions records the user's activities. (Optionally, Safeguard for Privileged Sessions can retrieve credentials from a local or external credential store or password vault, and perform authentication on the server with credentials that are not known to the user.)


Was this topic helpful?

[Select Rating]



Technical requirements

In order to successfully connect Safeguard for Privileged Sessions with YubiKey, you need the following components.

In YubiKey:
  • The users must have a YubiKey device and a means to map usernames to YubiKey Public IDs. For details, see "[users]" in the YubiKey Multi-Factor Authentication - Tutorial and "[ldap]" in the YubiKey Multi-Factor Authentication - Tutorial.

  • The YubiKey Client ID and API Key.

    For details on generating your Client ID and API Key, see How do I get an API key for YubiKey development?.

    To generate your Client ID and API Key, authenticate yourself using a Yubikey One-Time Password and provide your e-mail address as a reference at Yubico get API key.

    A Yubico OTP is a 44-character, one-use, secure, 128-bit encrypted Public ID and Password. The OTP is comprised of two major parts: the first 12 characters remain constant and represent the Public ID of the YubiKey device itself. The remaining 32 characters make up a unique passcode for each OTP generated.

    For example, in the following Yubico OTP, the characters cccjgjgkhcbb are the Public ID, and the remaining characters are the passcode.

    cccjgjgkhcbbirdrfdnlnghhfgrtnnlgedjlftrbdeut
  • YubiKey does not require network connectivity or access to a mobile phone device. Just touch or tap the YubiKey device to authenticate.

In Safeguard for Privileged Sessions:
  • A One Identity Safeguard for Privileged Sessions appliance (virtual or physical), at least version 5 F1.

  • A copy of the Safeguard for Privileged Sessions YubiKey plugin. This plugin is an Authentication and Authorization (AA) plugin customized to work with the YubiKey multi-factor authentication service.

  • Safeguard for Privileged Sessions must be able to access the validation service.

    The connection also requires the Client ID and API Key.

Availability and support of the plugin

The Safeguard for Privileged Sessions YubiKey plugin is available as-is, free of charge to every Safeguard for Privileged Sessions customer from the Plugin Page. In case you need any customizations or additional features, contact professionalservices@balabit.com.

You can use the plugin on Safeguard for Privileged Sessions 5 F5 and later. If you need to use the plugin on Safeguard for Privileged Sessions 5 LTS, contact professionalservices@balabit.com.


Was this topic helpful?

[Select Rating]



Learn more

To find out more about Safeguard for Privileged Sessions, visit the One Identity page.

For a detailed tutorial about how to connect your YubiKey account with Safeguard for Privileged Sessions, see YubiKey Multi-Factor Authentication - Tutorial.

If you need help in connecting your YubiKey account with One Identity Safeguard for Privileged Sessions, contact our Sales Team or contact professionalservices@balabit.com.


Was this topic helpful?

[Select Rating]



Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

Please note our Privacy Policy recently changed to support GDPR. You may read it here. Continuing to use our website indicates you have accepted the new policy.