01 February 2018

Multi Factor Authentication - Duo and Yubikey

Multi Factor Authentication / 2 Factor Authentication, is not just all the rage today, but a necessity in today's ultra-connected world.  The balance between security and convenience is a hard one, but has to be weighed and measured for you, your information, and the assets you are responsible for.


I have used, implemented, advised, and researched several forms of Multi Factor Authentication (MFA).  Simply stated, MFA or 2FA just means that you are required to have two pieces to authenticate.  Generally these fall under one of three categories:  knowledge (something you know); possession (something you have), and inherence (something you are).  That means, knowing a password (knowledge) AND having an usb smart card plugged in (possession).  The implementation on many social media and shopping sites is having a password AND having a number generated by a timed one-time-password (TOTP) dongle/app (possession), although SMS is not technically 2FA because it can be spoofed, but it is still 2SV.  This could also be having a bio-metric finger print reader (inherence) and a hardware generated one time password (HOTP possession).

Some Definitions:

2FA - 2 Factor Authentication, use of 2 different MFA methods.
2SV - 2 Step Verification, use of 2 authentication methods that are NOT distinctly different.
AD - Active Directory, Microsoft enterprise level central store for usernames and passwords.
Biometrics - Using unique human attributes to authenticate.
FERPA - Family Educational Rights and Privacy Act, safeguards and security provisions to protect student information, and to allow Parents and Students reasonable access to their data.
HIPPA - Health Insurance Portability and Accountability Act of 1996, safeguards and security provisions to protect medical information
HOTP - Hardware One Time Password, password generated by physical dongle that generates the next password based on an algorithm and successive key presses.
Inherence - Inherence Factor, a factor of MFA, aspects that are integral to the individual in question, like biometrics. Something you are.
International Safe Harbor Privacy Principles - principles developed to prevent private organizations withing the European Union from accidentally disclosing or losing personal information.
Knowledge - a factor of MFA, something that is known only to the user, like a password. Something you know.
MFA - Multi Factor Authentication, any time that 2 or more unique authenticating factors are required to allow access to a resource or asset, this includes 2FA, 3FA, 4FA, etc. Factors include Knowledge, Possession, and Inherence
NFC - Near-Field Communication, wireless technology that allows communication over short distances, usually an inch or less.
NIST - National Institute of Standards and Technology, sets the standards and recommendations for MFA.
OTP - One Time Password, A password that can only be used once.  Based on time or key presses and generated based on pre-shared information and an algorithm.
PCI - Payment Card Industry, most often referring to Payment Card Industry Data Security Standard, a set of security requirements for credit card processors.
PIV - Personal Identity Verification, a standard for a specific type of smart-card that can be used as an access card.  Standardized by FIPS 201 and is used by federal agencies.
PKI - Public Key Infrastructure, all components necessary for using public key encryption.  Utilizes public and private keys for encryption.
Possession - a factor of MFA, something physical that can not be duplicated or spoofed that is used to authenticate or verify a specific user. Something you have.
SmartCard - any number of pocket sized devices that have an embedded integrated circuit.  They can contain personal identification, authentication, data storage, application processing, etc.  They can be contact based or contactless.
SMS - Short Message Service, GSM services that is used to send and receive short text messages between mobile devices.  NOTE: because they can be spoofed or read by service personel, they are not considered a Possession Factor of MFA by NIST.
Spoofing - a form of subterfuge in which communication is sent from an unknown source disguised as a source known to the receive.
TOTP - Time One Time Password, password generated by physical dongle or application that generates the next password based on an algorithm and the time.
VPN - Virtual Private Network, a private network that allows confidential and secure communication over public networks.


In 2017 we saw a huge uptick in cyber attacks.  Equifax, Yahoo, FedEx, Uber, countless facebook, gmail, and twitter accounts saw data breaches and with worms/viruses like WannaCry, NotPetya, Bad Rabbit the reality is that you can not be too careful.

Passwords can be cracked, hacked, shared, and stolen.  MFA applies a second (or third, forth, etc) level of authentication and therefore adds another layer of security.  The cost of a security breach is greater than the cost of 2FA, and the extra steps involved force you to be mindful of what you are accessing, where you are accessing it, and what the loss would mean.

Further more, if you are a business/entity that is required to use MFA to be PCI DSS, HIPAA, FERPA, or Safe Harbor compliant, then you need to put forth the effort now so you don't get blindsided later.


In my mind, any MFA solution has to have certain pieces:

1) Secure - No bypassing, no spoof-able devices, no shared devices, user tokens/certificates/passwords/etc need to be easily revokeable
2) Failover - The solution needs to be reliable. While being secure, there needs to be more than one way to authenticate the 2nd factor, in case the infrastructure for the 1st method fails.
3) Usability - If there is not end-user buy-in, it won't get used, it will get bypassed, and it will all be for nothing.... period
4) Deployability - Sometimes referenced as Scale-ability.  It should be easy to go from 10 users to 100 users overnight.
5) Maintainability - Once the solution is operational, how often will it need to be maintenance, how many help desk calls are going to be for this solution?

There are LOTS of MFA solutions, but the one I want to walk through today is Duo.  The maintainability, deployability, and usability are there, and it can be made secure.  The problem I had with their module to secure windows desktop login, was that if the machine was not connected to the internet, there was no way to verify the 2nd factor.  It does, however allow for failover to be a smartcard.  This is where the Yubikeys enter in.


Duo is well documented, and its worth trying for free for 10 users.  To set-up Duo Authentication for Windows Logon and RDP, follow their instructions here: https://duo.com/docs/rdp

For my purposes, I have the installer run from a batch file with my pertinent information.  Make sure you allow smart cards, do NOT let it fail open, and since I was securing both local and remote sessions, turn off RDP only.

msiexec.exe /i DuoWindowsLogon64.msi IKEY="" SKEY="" HOST=""

This means that if Duo can't connect to the internet, your users can still log in with the smart card.  If you use YubiKeys you can also enroll them with duo as hardware keys, to provide the OTP.

To secure Duo, I turn off the Authentication Methods that are capable of being spoofed, and I require an encrypted OS on the phone, and bio-metrics to use the app.

Now, when users log in, they get a prompt to authenticate through Duo

But what happens if the internet is disconnected, or the user is on an airplane with a laptop, etc?


This is where having the SmartCard option is key.  If you already enabled smart cards at install, then duo is already set.  To leverage a Yubikey, or any SmartCard, you will will need a PKI setup.  That starts with a Certificate Authority, then you will need your machines to accept smartcards, and finally you need a way to enroll them.

I would recommend reading the following documents if this is the road you want to go down:

Setting Up a Certificate Authority
YubiKey Smart Card Deployment Guide
YubiKey Smart Card Minidriver User Guide
YubiKey PIV Manager User's Guide
Yubico PIV Tool Command Line Guide

The down and dirty goes like this:

A) Create a Certificate Authority on a fresh server install (Found in Microsoft and Yubikey Documentation)

1. Open Server Manager and choose Add roles and features, > Next.
2. > Role-based or feature-based installation > Next.
3. > Select a server from the server pool.
4. Select your new server.
5. Under Server Roles, > Active Directory Certificate Services, > Next.
6. > Add Features, > Next.
7. > Next again.
8. > Certification Authority, > Next.
9. > Install. Allow several minutes for the process to complete.
10. > Configure Active Directory Certificate Services on the destination server, > Next.
11. > Certification Authority, > Next.
12. Choose Enterprise CA, > Next.
13. Choose Root CA, > Next.
14. Create a new private key, > Next.
15. Select the cryptographic provider, hash algorithm, and key length for the private key, > Next.
(Yubico recommends sticking with default values so you don't create a cert that is too big for the smartcards)
16. Common name and Distinguished name will be automatically populated. Confirm the values match the server name and domain name, > Next.
17. Select the validity period for the Certification Authority certificate, > Next.
18. Leave the Database locations to the default values > Next.
19. Verify all settings match the desired values, > Configure.
20. When the process completes, exit the installation wizard.

B) Install the minidriver
1. Download the minidriver: https://www.yubico.com/support/knowledge-base/categories/downloads/
2. Unzip
3. Right click the one that says it has Setup Information and click Install

C) Create an Enrollment Agent so you can enroll certs on behalf of your users.
If you want to allow users to self enroll, follow the documentation in the deployment guide above
1) Open the Certificate Template Manager by running certtmpl.msc
2) Right click on the template named Enrollment Agent

3) In the security tab, ensure that the user/users/groups that will be in charge of enrolling other users has Read and Enroll permissions on the Template.
4) Open the Certificate Authority Manager by running certsrv.msc
5) Right click Certificate Templates, under new, Choose Certificate Template to Issue.

6) Select Enrollment Agent template
7) Open certmgr.msc
8) Under Certificates - Current User expand Certificates
9) Right click, Request a New Certificate
10) Select Active Directory Enrollment Policy, and then select the Enrollment Agent template, and then click Enroll.

D) Create a smart card certificate Template
1) Open the Certificate Template Manager by running certtmpl.msc
2) Right-click Smartcard Logon, and select Duplicate Template.
3) Setup the certificate as follows:

4) Open the Certificate Authority Manager by running certsrv.msc
5) Right click Certificate Templates, under new, Choose Certificate Template to Issue.

6) Select YubiKeySC template
7) Open certmgr.msc
8) Under Certificates - Current User expand Certificates
9) Right click, Under Advanced Options, choose Enroll on Behalf of
10) Select Active Directory Enrollment Policy, and then browse and choose your Enrollment Agent cert, choose the correct user and then click Enroll.
11) The default pin is 123456
12) MAKE SURE THE USER CHANGES THEIR PIN.  It has to be 6-8 characters and can be a combination of letters and numbers.  They can change their pin by pressing CTRL-Alt-DEL and switching to the smart card with the sign in options button.

E) Resetting a SmartCard after they lock their pin
It will happen.  You can use the PIV Manager to reset it, or you can download the PIV tool, and run the following batch file:


echo Yubikey will be reset and 
echo you will erase current Certificate. 
set /P c=Are you sure you want to continue [Y/N]?
if /I "%c%" EQU "Y" goto :yes
if /I "%c%" EQU "N" goto :no
goto :choice

echo Resetting Yubikey...
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a verify-pin -P 000000
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a change-puk -P 000000 -N 000001
~path\yubico-piv-tool -a reset
echo exiting.............

echo Yubikey was not reset. 
echo exiting.............

After the YubiKey is reset, it will have to be re-enrolled, and the old cert will need to be revoked.

Other Considerations

As I said earlier, this is just one of many options.  Start the conversation now because if you are not using any form of MFA or 2SV then ANYTHING you do is more secure than what you have right now.

I am not payed by any of the aforementioned companies, in fact, I pay them for the use of their services and devices.

Make sure you enroll your Yubikeys in Duo as well as enabling the smart card feature.  Then you can use them as a token, and don't have to rely on the app: https://duo.com/docs/yubikey

Finally, do your homework.  The more prepared you are, and the more you experiment with these items in your own environment, the better prepared you will be for the challenges ahead.

No comments:

Post a Comment