2FA and MFA (Two-Factor Authentication and Multi-Factor Authentication) are some of the best ways your organization can protect users’ accounts without going passwordless (though we at Keytos are massive proponents of passwordless authentication – just take a look at this blog on the problem with passwords to see why). Some of the best ways to implement MFA are hardware keys (such as YubiKeys) and apps (such as the Microsoft Authenticator app). While these MFA methods are fantastic, they have one glaring flaw – as physical devices, they are able to be lost. It is not hard at all to imagine someone losing their YubiKey or their mobile device somewhere, somehow – so, what happens if an employee loses their device?
We’ll keep our fingers crossed that neither you nor your organization will ever have to deal with lost YubiKeys, but something like this is almost inevitable. So, what happens if you lose your YubiKey? In that case, you can still use your Authenticator app (phew!). While you can’t create a backup YubiKey, you can always contact Yubico to get a replacement key.
Hardware keys are so great because they come on unidentifiable USB sticks. What that means is, should anyone find a lost YubiKey that doesn’t belong to them, they can’t figure out what device it corresponds to. How’s that for security?
With YubiKeys, your organization’s IT department can determine if and how an employee who lost their key can recover it – unfortunately, certain recovery methods are more high-risk than others. Often, the easier it is to recover a lost YubiKey, the less secure the recovery method is. It’s vital that your organization takes into account the balance between easiness and secureness before deciding on a YubiKey recovery strategy.
One reason EZCMS is the best CMS for Azure is because it can be a great help when someone in your organization inevitably loses their YubiKey. When you declare a YubiKey as lost, EZCMS will revoke all of your certificates, your FIDO key, and will make the lost YubiKey practically useless.
EZCMS also helps with getting a new YubiKey! Once you get a new YubiKey, EZCMS allows you to self-onboard – EZCMS employs industry-leading face recognition and government ID scanning technology to verify user identities.
Most people’s Microsoft Authenticator device of choice is, logically, their cell phone. Microsoft knows this. That is why Microsoft allows users to choose a new Authenticator device via a backup code that is sent to them. With this, if someone loses their cell phone (or whichever device they use for the Microsoft Authenticator app), they can still recover their account and switch devices.
Ultimately, there are very few ways for someone to truly and wholly lose their Microsoft authentication. So long as they are able to conduct the recovery process, they can use their authenticator, and even if they are unable to get back into the app, they can typically find a way to reset their account.
Usually, if you lose your Authenticator device, you have to call your IT helpdesk and request a TAP; however, with EZCMS, we can identify your face and your ID to onboard you without ever having to bother the lovely folks over at IT, saving everyone time, money and headaches.
Want to learn more about how EZCMS can help your organization? Check out how it works or schedule a FREE consultation with one of our passwordless experts today!