The hardest part of implementing FIDO2 is getting your users to enroll their keys. Yubico rolled out a new feature that allows you to ship YubiKeys with pre-loaded FIDO2 keys But it is only for Okta. Can you do it with Entra ID?
Going passwordless is the future of authentication. But what’s the difference between smartcards and YubiKeys? This blog will help you understand the key differences between the two and how they can help you secure your organization.
2FA and MFA are some of the best ways your organization can protect users' accounts without going passwordless, though we at Keytos are massive proponents of passwordless authentication. Some of the best ways to implement MFA are hardware keys (such as YubiKeys) and apps (such as the Microsoft Authenticator app). While these MFA methods are fantastic, they have one glaring flaw – as physical devices, they are able to be lost. It is not hard at all to imagine someone losing their YubiKey or their mobile device somewhere, somehow – so, what happens if an employee loses their device?
Going passwordless in Entra ID is a great way to improve security. However, getting it working in Windows can be tricky. Learn how to enable smartcard log-on in Windows with Entra CBA.
Phishing resistant authentication is a game-changer for security and user experience. Learn how it improves your security and user experience.
Are you looking to create an SSH Certificate Authority in Azure? In this blog, we'll dive deeper into how you can create an SSH CA in Azure, the importance of SSH certificates, and how solutions like EZSSH are changing the game when it comes to securing your systems. Let’s get into it!
Passkeys have been gaining popularity in the cloud security world, in this blog we answer the question that you are asking yourself. Are passkeys unphishable? In this blog,
We know passwords are vulnerable to phishing attacks, and certificates are better but is all Certificate-Based Authentication in Entra Identity phishing resistant? Let's find out.
Windows Hello for Business is a great step towards passwordless, but is it enough? Can you go passwordless with Windows Hello for Business?
Are all passwordless authentication methods phishing resistant? Which passwordless authentication methods are phishing resistant? Let's find out! TL;DR FIDO2 and smartcard are the winners.
Get the best Azure YubiKey management service with EZCMS by Keytos. Learn how to simplify going passwordless and improve your security posture.
Discover the future of security with Passwordless Authentication! Learn how it enhances security by eliminating passwords, comparing methods like Phone-based, Certificate-Based, and FIDO2 for the best fit for your org
Enhance SSH security without sharing keys Use SSO and SSH certificates for safe, easy access. Learn to implement best practices and technology for secure SSH
As organizations continue to digitize and operate in increasingly cloud-centric environments, the importance of secure, manageable, and auditable authentication mechanisms cannot be overstated. We all know that breaches can lead to unauthorized access, data theft, and potentially catastrophic security incidents. While enhancing SSH authentication might not be the first thing that comes to mind when we talk about IAM and going passwordless, it certainly aligns with the broader need for robust security practices that safeguard against evolving threats.
Learn how to implement phishing resistant authentication in Entra ID with Entra CBA and FIDO2 passkeys and start your journey to a passwordless future.
If you are reading this, it’s almost certain that you’ve been tasked with helping your organization go passwordless. Perhaps it’s because Management heard that compromised passwords play a key role in 80+% of cybersecurity breaches, or maybe it’s because of the cyber insurance incentives and discounts for going passwordless. Why you are here is not as important as what you are going to learn. In this guide, Keytos will guide you on how to go passwordless in Entra ID (Azure AD), from all the “gotchas”, to links, to step-by-step guides for each process, to the pointers that helped us follow Azure Identity best practices and go fully passwordless.
One of the biggest questions that we’ve seen across sales calls, Reddit forums, conferences, and more is “Are YubiKeys phishing resistant?” Honestly, it’s a valid question – YubiKeys have been pretty prominently featured in the push for passwordless authentication but are they phishing resistant?
Choosing to adopt a phishing-resistant authentication method is one thing – figuring out the best way to implement said method is an entirely different challenge. In this blog, we will be outlining the key advantages of the two leading phishing-resistant authentication methods
Phishing resistant authentication is a game-changer for security and user experience. Learn how it improves your security and user experience.
Once you have decided to go passwordless with FIDO2 keys, the next step is to onboard them. This guide will help you onboard FIDO2 keys in Azure for remote users.
This comprehensive blog explores the importance and methodology of implementing phishing-resistant, passwordless authentication methods within Azure. It dives into the critical need for organizations to adopt a security-first culture amidst rising cybersecurity threats, emphasizing the role of unphishable credentials in enhancing data protection.
Discover the essential guide to deploying phishing-resistant multi-factor authentication (MFA) for the modern workforce in our latest blog. Learn how smartcards and FIDO2 security keys create a robust defense against phishing scams, protecting your organization's credentials and integrity. Understand the urgent need for security upgrades in light of the rising sophistication of cyber threats, and how going passwordless with security keys not only enhances protection but also supports a proactive security posture.
Are you ready to implement phishing resistant authentication in Entra CBA? In this guide, we provide insight on how you can go passwordless in Entra ID, from the "gotchas," to important links, to step-by-step tutorials, all to ensure you're well prepared.
If you’re a Microsoft Active Directory expert, your first instinct for managing access to your Linux endpoint(s) is probably to domain join your Linux VMs to Active Directory. The TL;DR here is that this is an awful idea. You’re going to run into issues with DNS, Privileged Agents, No MFA, and just a generally not the best or most secure user experience.
You're probably following a guide on how to set up Entra CBA and came across Required Affinity Binding on the Entra ID portal, and are wondering whether you need it. Worry not – when Microsoft confuses you, Keytos has you covered! In this blog, we will go over what Required Affinity Binding is and whether or not you should set it to High in Entra CBA.
SSH is widely used and considered to be the standard for remotely managing Linux systems; however, it was designed in 1995, when computers were accessed by a handful of people in a local network. To help SSH scale to current cloud scale, using legacy SSH keys that do not expire becomes impossible - this is why organizations such as Facebook, Uber, Netflix, and Keytos have transitioned to SSH certificates. In this blog, we will explore why SSH certificates are the best way to do SSH effectively.
In order to effectively implement passwordless authentication in Azure throughout your organization, you need to first reflect on the entire user lifecycle. This involves processes like creating a user account without a password, distributing hardware keys (e.g., YubiKeys), onboarding users and personal computers, authenticating on the network, implementing conditional access, and enabling passwordless entry to non-Active Directory resources like Linux systems. We know that that can be a massive headache; while we can't provide you with Ibuprofen, we can help alleviate that headache by diving into each of these aspects! Let's take a closer look!
Since its initial announcement in 2022, Microsoft has significantly enhanced Entra CBA across various platforms. In their most recent update on December 13, 2023, Microsoft announced that these enhancements encompass support for certificates on different devices and compatibility with external security keys, such as YubiKeys. In this blog, we will tell you all about what this updated system provides users with as well as how to use YubiKeys for Entra CBA!
In this wild world of cybersecurity that we find ourselves in, organizations constantly seek robust solutions to combat threats like phishing. A breakthrough in this anti-phishing agenda is the adoption of FIDO2 keys for passwordless (unphishable) authentication! In this blog, we will explore how FIDO2 keys offer an unphishable credential, setting a new standard in secure authentication.
The FIDO2 standard, an evolution of FIDO, offers improved security and user convenience by removing the reliance on passwords. This results in a more secure, user-friendly, and modern method of verification, reducing the risk of fraud in online interactions. FIDO2’s purpose is straightforward: it allows us to leverage biometric data stored on our computers or mobile devices (such as fingerprint scanners, touch ID, face ID, external tokens, etc.) for accessing websites and applications. This blog will take a deep dive into these two points to help you gain a better understanding of the ins and outs of FIDO2.
If you are trying to implement unphishable credentials in Azure, you've probably looked at FIDO2 and Entra CBA (Certificate-Based Authentication); however, after taking a closer look, you will see that FIDO2 is still not fully supported in iOS, only in browsers, meaning that if you want to use phishing-resistant authentication in iOS you must use certificate-based authentication with Azure CBA (Entra CBA). As of writing this blog, only YubiKeys are supported for Entra ID mobile authentication. In this post, we will cover the full process on how to get your YubiKeys ready for iOS authentication.
It's common to encounter misconceptions that SSH certificates are identical to or interchangeable with X.509 certificates, but this is simply incorrect. This blog will concisely explore the nature of SSH certificates, why you ought to be using them, and the fundamental differences that set them apart from X.509 certificates.
In the following guide, we aim to provide insight on how you can go passwordless in Azure AD. We intend to cover everything from all the "gotchas," to links, to step-by-step tutorials for each process, to the pointers that'll ensure you're up-to-date with Azure Identity Security Best Practices. Click here to learn more!
Did you know that a 2017 study showed that a cybersecurity attack happens every 39 seconds? Organizations clearly need to prioritize reinforcing their defense strategies. Facebook, Netflix, and Uber are three great examples of top companies doing SSH the right way. Click here to learn more about how these companies do SSH and how you can follow in their footsteps.
Are you trying to secure your organization with phishing-resistant credentials but are confused by all the options? You've come to the right place! In this post, we explain if Certificate-Based Authentication (CBA) is considered MFA, as well as the different types of phishing-resistant credentials you can set up in Entra ID.
With the rising importance of securing Entra ID (fka Azure AD), it's essential to explore enhanced security measures. One of the most effective methods is, without question, the use of hardware keys such as a YubiKey. This blog will guide you through setting up a YubiKey, registering it, and enrolling it with Entra ID.
Businesses of all shapes and sizes have relied heavily over the past decade or so on e-mail filters and educating their employees about phishing as their main deterrents. While well intentioned, it’s almost altogether useless. Think about it this way… what’s the last employee training session you actually paid attention to? Simply put, the reliance on traditional employee vigilance and email filtering systems is proving to be insufficient against modern, sophisticated phishing schemes. So where do we go from here? The answer lies in the implementation of phishing-resistant Multi-Factor Authentication (MFA). Click here to learn more!
As organizations transition to a zero-trust model, passwordless SSH becomes the only way to protect your SSH endpoints. The first thing that comes to mind is using SSH Keys. They are cryptographically secure, native to Linux so no custom PAM or agent must be running on the endpoint; however, SSH keys are hard to manage. As a result, many organizations are looking for an SSH key management solution where the keys are centrally managed and can be rotated by the service. In this blog, we will do a deep dive into the best way to manage your SSH keys at scale.
So, you're trying to go passwordless to avoid all the problems associated with passwords, but you can't stop thinking to yourself, "How on Earth do you create a passwordless identity without first having a password?" You're not alone! We consider this the cybersecurity iteration of "The Chicken and Egg" conundrum. Click here to learn more!
With any luck, you’ve come across this post about saving money on cyber risk insurance as part of a proactive vendor selection or shopping process. Another probable scenario is that you’re already insured, and you’re simply exploring less expensive options. Either way, you’ve most likely thought to yourself at one point in time, "Why is this so expensive?" and "What can I do to lower the premium?" Click here to learn the answers to those questions!
There are quite literally thousands of companies around the world that still rely on password-based authentication. They’ve probably haven’t ever researched the topic, and outlining the benefits of MFA compared to passwords would be exceptionally useful. Check out this blog to learn all about the benefits of MFA and why MFA is better than traditional authentication methods.
Did you know most SSH endpoints have around 200 SSH keys and 90% of them are not used? It's pretty clear that SSH keys are so last season, and that SSH certificates are the way to go when it comes to adhering to the highest standards of cybersecurity/authentication. In this blog, we will show you why SSH certificates are the way of the future, as well as how to set up SSH certificate authentication on your own!
Smartphones have become an integral part of our daily lives – who doesn’t own a smartphone nowadays? Unfortunately, with this growing reliance on smartphones comes an important concern to consider: the safety of phone authentication. While phone authentication is widely perceived as a convenient and secure authentication method, phone authentication is not safe. In this blog, we will explore the dangers of relying solely on phone authentication.
Entra CBA (Certificate-Based Authentication) is by far the best way to secure your organization via Entra MFA. In this article, we will show you how to set up Entra CBA passwordless authentication in 9 easy steps (that’s less than an hour’s worth of steps!).
The fledgling state of the IoT industry often drives manufacturers to prioritize speed over security, hastening to introduce their products before ensuring robust protection. Consequently, they might resort to hardcoded credentials or delegate security responsibilities to hardware vendors. Such lapses present a goldmine for hackers. Click here to learn the best ways that you can improve your Azure IoT device security!
Azure Verifiable Credentials are Microsoft's response to the question of how you can validate that your new employee is who they say they are when they are onboarding to your organization. They even want to go further and have organizations such as Universities add the person's degrees and other information into verifiable credentials, which would allow organizations to validate the education of the person. Check out this blog to learn all you need to know about Azure Verifiable Credentials and how to use them for remote passwordless onboarding.
Let’s cut right to the chase – if you want your organization’s cybersecurity posture to rival that of any organization in the world, phishing-resistant MFA is the way to go. Why? With unphishable MFA, there are no passwords for hackers to steal! No matter what steps you take to make a password "strong," there are always hackers who can take it from you. That's where phishing-resistant MFA (or, unphishable MFA) steps in.
For experts well versed in Microsoft Active Directory, the natural inclination is to domain join Linux Virtual Machines (VMs) with Active Directory. The appeal and logic here is in centralizing Linux endpoint management; however, aligning Linux with a system originally intended for Windows can bring about a "metric f*%$-ton" of unexpected challenges... such a having to run a bunch of highly-privileged agents to emulate Windows, or having to debug from a Linux machine. ...It’s a royal P.I.T.A. The following will give you the quick and dirty as to the best way to do this, which may be counterintuitive to your preconceived notions.
With the rising costs associated with cybercrime, many insurance providers have stated that companies seeking cyber insurance need to take measures to reduce the risk of cyberattacks against them being successful. If organizations adhere to this ask and take precautionary cybersecurity measures, there is a reduced chance of a successful cyberattack and, as such, a reduction in the sum of payouts from the insurance providers. This seems like a win-win, but how can companies best take these precautions? By implementing MFA.
While we certainly do appreciate discussions around tech-driven security, we're convinced that the advancement in present-day authentication and the future of Zero Trust authentication isn't merely about the method, but it revolves around the system. Even top-notch security is ineffective if end-users find it cumbersome and IT struggles to implement it. Basically, what we're trying to say here is that, yes, the method in which you choose to authenticate is cool, but the PROCESS associated with that method has much more impact on all facets of your business. Click here to learn more about how we need to rethink authentication.
Deciding to go passwordless is one thing, but deciding HOW to ACTUALLY do it is another thing altogether. We’ve done our best to summarize the major redeeming qualities of the three most prominent passwordless authentication methodologies - Certificate-Based Authentication (CBA), FIDO2, and Phone. Check out this blog for a high-level synopsis of each authentication method, their ideal use cases, and other key characteristics regarding their employment.
Passwordless authentication and multi-factor authentication are often mistaken for each other. While passwordless is a subset of MFA, MFA is usually used to refer to authentication methods that involve a password as one of the two factors. Conversely, passwordless authentication does away with passwords altogether. If an intruder gets hold of any authentication aspect, they still can't access the account unless they also control the user's phone or hardware key.
Not going to lie, I procrastinate A LOT, and one of the ways I do it is spending time on Reddit. One of the subreddits I spend a lot of time on is the r/YubiKey, and in there I see people asking all the time if YubiKeys are unphishable, and the answer is - it depends on which features you are using. So, let’s break down each of the YubiKey’s features and see which ones are unphishable.
In today's day and age, secure communication is essential for protecting sensitive information and preventing cyber-attacks. One common way to achieve secure communication is by using the Secure Shell (SSH) protocol, which is a widely used cryptographic network protocol for securely exchanging data over a network; however, not all SSH implementations are the same. In particular, there is a difference between traditional SSH and zero trust SSH. In this post, we will explain what zero trust SSH is and why most compliance certifications, such as PCI, require SSH key rotation.
If you’re reading this, you are probably looking for a way to secure your Azure AD (Entra ID) identity with conditional access, multifactor authentication, or network authentication and probably looked at Duo; however, either their pricing or user experience has you looking at an alternative. Luckily, we are here with the alternative, and the best part of it is that it is (mostly) free (or you are already paying for it without knowing it)! Read here to find out all you need to know about the best Duo alternative for Entra ID!
Passwordless authentication seems to be the talk of the cybersecurity world as of late! Going passwordless is a great way to bolster your organization’s cybersecurity posture due to the problems with using passwords and general inefficiencies of other authentication methods. While passwordless authentication is known as the most secure form of authentication out there, is it unphishable? Check out this blog to find out!
Unlike solutions such as Multifactor Authentication (MFA) and Single Sign-On (SSO), which still cling to passwords in some way, true passwordless authentication waves them goodbye. Everything is done without a single password in sight, eliminating one of the most vulnerable attack vectors. It's about time we step into the future of secure access. Check out this blog to learn all you need to know about true passwordless security.
Passwords have been around for decades and are a well-established form of cybersecurity – that is, until hackers started figuring out more and more ways to get around so-called secure passwords. So then, what is the problem with using passwords? Simply put, passwords lack the high levels of security necessary to combat the ever-advancing technology accessible to hackers and bad actors. In 2021 alone, over 6 billion credentials were leaked, and more than 60% of breaches were caused by stolen credentials. That is simply unacceptable. But what is the reason why passwords are not secure?
Passwordless authentication is a scorching hot topic in the cybersecurity world. The name seems self-explanatory - there are no passwords - but how exactly does passwordless authentication work? Check out this blog for a high-level overview of the inner workings of passwordless authentication.
Hardware keys (like YubiKeys) are great ways to go passwordless – in fact, we’re such huge fans that CEO Igal Flegmann has two whole keychains dedicated to YubiKeys! One of the pain points surrounding YubiKeys, though, is the shipping process. At Keytos, we believe that passwordless authentication is the future and nothing should get in the way of implementing it, so we’re here to make shipping YubiKeys worldwide easy. Check out this blog to learn how shipping YubiKeys is made easy with Keytos.
Data breaches can stem from a variety of reasons, but some consistently emerge as the most typical or common culprits. Breaches have evolved from isolated incidents to headlines that regularly dominate the news cycle. From deceptive phishing schemes to the sheer negligence of cloud configurations, the avenues for breaches are broad. With household names like LinkedIn and the UK's National Health Service falling prey to cyber-attacks, no entity seems immune. In this post, we'll delve deep into the four most common types of attacks associated with data breaches, providing real-world incidents that exemplify the gravity and repercussions of such vulnerabilities. Strap in as we navigate the treacherous waters of cybersecurity shortcomings.
This post takes a look at the high-level steps associated with the process of deploying FIDO2 keys efficiently in a cloud-only environment. Additionally, we'll guide you through the maze of choices, pointing you towards the most credible vendors and solutions available in the market.
The short answer is exactly that - short. Yes, Azure does support FIDO2. As there always seems to be with Microsoft, though, there is one glaring exception to this rule. Check out this blog to learn more about this exception and why your organization should start using hardware keys!
The growing demand amongst businesses of all shapes and sizes for passwordless authentication has brought FIDO2 to the forefront of the cybersecurity community. As businesses continue to adopt hybrid work environments, there is an increasing need to find solutions that integrate well with both on-premises and cloud-based systems. In the following post, we’ll discuss how FIDO2 can be implemented for on-premises Active Directory (AD) and how you can use PIV certificates to complement FIDO2 for legacy systems.
You will almost certainly encounter the question of how much YubiKeys cost on your journey of going passwordless. With CISOs becoming increasingly cost-conscious, understanding the price of security keys is a critical piece of information when it comes to selecting the right hardware for your organization. We applaud you for exploring the undisputed industry leader in passwordless solutions, Yubico, and their increasingly popular YubiKey! Read here for a detailed breakdown of the features of the various options available as well as the associated costs.
SSH certificates are the best way to avoid the many issues that come with using SSH keys. In this blog, we take a look into what SSH certificates are & how SSH certificates work.
SSH keys present a plethora of problems, and the majority of engineers have not received proper security training on the best practices. How can your organization circumvent the problems of SSH keys? Read here to find out!
One of the most common questions when going passwordless is how do you support legacy systems, While Microsoft supports FIDO2 on premises, the best solution, is to use SmartCard for legacy and FIDO2 for modern authentication.
Passwords have become an integral part of our daily lives, but have you ever stopped to think about the actual cost of using them as your primary means of authentication? I’m talking about in terms of both time & money. Well, here at Keytos, we certainly have! Read here as we delve deeper into the hidden costs associated with conventional password-based authentication.
2FA (Two-Factor Authentication) and MFA (Multi-Factor Authentication) are two of the most popular and mainstream acronyms in the realm of cybersecurity. What do they mean? Which is best for your organization? Click here to find out all you need to know about 2FA vs MFA!
Stop phishing attacks with Microsofts unphishable credentials by using PIV X.509 certificates in Azure with Azure certificate based authentication (CBA) and become a fully passwordless organization.
We’re exceptionally thankful for all that passwords have done for us; but, as things progress, we're discovering a glaring issue - passwords, as we know them, are rapidly becoming an outdated and unreliable method of authentication. Here are some of the most common shortfalls...
Going passwordless in Linux has never been easy - we get it. As a matter of fact, the history of passwordless authentication in Linux is equally as fascinating as it is triggering. Let's take a deep dive, shall we?
When looking at passwordless options, you might have heard of PIVKey smart cards. PIVKey is a great option for passwordless authentication with a smartcard, however, it is not the easiest to onboard. This is why we created this guide to help you onboard PIVKey smart cards to Azure CBA and AD Smart Card Authentication.
With cybersecurity you are as secure as your weakest point. Therefore, if you implement Azure passwordless and use TAP to onboard, attackers will target your TAP issuing process to gain access to your infrastructure. Learn how to remove the human from this process and use self-onboarding to passwordless authentication.
When looking at passwordless options, the first option that comes to mind is YubiKeys. While they are awesome once you issue them, they are not the easiest to onboard. This is why we created this guide to help you onboard YubiKeys to Azure CBA and FIDO2.
Passwords alone are no longer considered secure, and organizations worldwide are moving towards passwordless authentication methods. One such method is using hardware tokens like YubiKeys and the FIDO2 protocol. But how can you enable these methods for Microsoft Office 365 apps on macOS or iOS? Read this blog to learn how!
Going passwordless is no only exponentially more secure, it has also been shown to improve productivity and reduce wasted time. This page is the perfect starting point to learn more about about which passwordless method is best for you.
The number of phishing attacks has risen sharply over the years. For small businesses, relying solely on employee awareness and email filters isn't enough. The answer? Unphishable credentials. Read on to find out how unphishable credentials can help secure your small business.
The only way to stop attackers from phishing your passwords is to remove them completely. Learn how to go fully passwordless in Azure AD (Entra ID). From setting up FIDO2 and Azure CBA to creating passwordless users in Azure AD, we cover it all.
Traditional password-based authentication methods are no longer sufficient to protect sensitive company data and infrastructure. To address these concerns, Azure Active Directory (Azure AD) offers passwordless authentication to enhance protection and improve the user experience. Read on to learn more about Azure CBA and how to get started!
When looking at passwordless authentication, the two most popular options are FIDO2 and Smartcard authentication, but what is the difference between the two? Which one should you use? in this blog we discuss the difference between FIDO2 and Smartcard authentication and which one is best for each scenario.
With phishing attacks on the rise, organizations are moving to phishing resistant /unphishable credentials to protect their organizations. However, extra security is not the only benefit; they are also saving money.
As more organizations move to cloud-based solutions, the importance of secure and compliant authentication methods has become increasingly critical. While passwordless authentication methods are the pinnacle of security, they have a reputation of being incredibly tedious to set up. Learn how EZCMS can help you improve security while removing onboarding friction with FIDO2, Azure CBA, and Passwordless Phone Authentication.
While Domain joining your Linux machines to Active Directory might sound like a good way to do identity and access management for Linux at scale. Linux was not designed for this, and in the long term it will cause more issues than it solves. The solution SSH Certificates!
SSH has become the weakest point in cloud security and hackers have noticed. Over the past few years we have seen an exponential increase of cyber attacks targeted to SSH. Organizations adopting zero-trust architecture must take a hard look at their existing identity management for SSH.
SSH Keys were designed for a time when SSH was protected by a strong network barrier. With today's zero trust world a stronger passwordless identity story is needed. This is why we created the first agent-less AAD based authentication for Linux endpoints.
At cloud scale simple tasks such as SSH key management become exponentially harder to do. Large companies such as Lyft and Facebook have moved on to SSH Certificates time for you to make the jump too!
SSH has become a target in the latest round of security breaches. Learn how SSH Certificates are the best way to protect your infrastructure by removing the need of life cycling SSH keys and improving user experience.
SSH Keys have been the security standard for the last few decades. Time to modernize with a more secure and easy to lifecycle solution SSH Certificates.