How Do I Require U2F Keys for MFA?




As organizations look to secure employees that work from home, multi-factor authentication (MFA) — also known as two-factor authentication or 2FA — offers a sure-fire method to keep identities locked down, regardless of where work happens. Specifically, universal second factor (U2F) security keys may provide the most security out of the MFA options available, making them a desirable solution for IT administrators with WFH users. 

If you want to employ U2F keys for MFA at your organization, here’s how you can require them across your IT environment. Before we begin, however, let’s explore why an organization would require U2F key MFA in the first place.

Why U2F Keys?

Multi-factor authentication provides IT organizations with a way to secure end user identities, even if they’re working from home. In practice, MFA requires the presentation of an additional identification factor when accessing a tool or service beyond the usual username and password combination.

Security

Although there are many different forms of MFA, universal second factor security keys offer a more secure and streamlined process than their counterparts. This is largely due to the fact that, unlike most other MFA methods, U2F keys are physically inserted into the user’s device or must connect via Bluetooth signal, making them harder to compromise, especially when users work from home.

In a study of basic MFA methods, Google Security Blog found that physical MFA methods like U2F keys are up to 100% effective at preventing account takeovers. Comparing that to other MFA methods like text/SMS codes or device-prompted MFA which can be intercepted by hackers, physical keys take the cake as the most secure form of authentication according to the study. This can also be attributed to the fact that U2F keys must physically interact with the user’s device to function.

Convenience

Beyond the security benefits, U2F keys provide another benefit for organizations requiring MFA: convenience. MFA methods like SMS or others require that the end user inputs a code after entering their username/password credentials. Many times, these codes are time-sensitive, expiring anywhere from 30 seconds to an hour after they are issued. End users, especially C-Suite level executives, may find this process cumbersome. On the other hand, with U2F keys, the user simply plugs the key into an available port and presses a button on the key itself when prompted in order to authenticate. 

U2F keys are easier on IT admins, too. Other methods for MFA require that admins train end users how and when they need to input codes, as well as what MFA app to download. With U2F keys, admins need to dropship each user their respective key, and then instruct them to insert it into their machine, and then press the button when prompted.

How to Require U2F Keys for MFA

When it comes to requiring U2F keys for MFA in an organization, admins can employ JumpCloud® Directory-as-a-Service® to enforce U2F keys across their applications and cloud-based infrastructure.

What is JumpCloud?

JumpCloud Directory-as-a-Service is an all-in-one, cloud-based identity, access, and device management platform. Over a hundred thousand IT organizations around the world rely on JumpCloud to manage their users and their access to virtually any IT resource at play in their environment.

You can use JumpCloud’s WebAuthn functionality to enforce U2F keys or device-native fingerprint scanners for MFA upon entry to the JumpCloud User Portal. The User Portal provides end users with access to their web application and Infrastructure-as-a-Service accounts through SAML single sign-on (SSO). End users can also leverage Windows Hello biometric logins as well.

Directory-as-a-Service can also be used to enforce TOTP and Duo Push MFA at the device level, as well as on VPN connections through JumpCloud’s RADIUS-as-a-Service.

Beyond MFA, IT admins can rely on JumpCloud to manage their users’ identities, Mac®, Windows®, and Linux® devices, and access to applications — both in the cloud and on-premises. JumpCloud also offers an associated directory event logging tool, Directory Insights™, which provides organizations with a top-down view into authentications and other changes made around their Directory-as-a-Service to aid in proving compliance. 

Try JumpCloud Free

If you want to manage users, devices, and resources from the same solution that you use to require U2F keys for MFA, you can try JumpCloud to see if the cloud directory platform is right for you.

Signing up for JumpCloud is absolutely free — no credit card required — and includes 10 users and devices for as long as you need. If you need help getting started, you can leverage 10 days of 24×7 live chat support after signing up at no additional cost


Related Posts
What is multi-factor authentication and how does it work in practice for IT professionals and end users? Learn more in this first of three-part MFA series.

Blog

Multi-Factor Authentication: What Is It and Why Should You Use It?

What is multi-factor authentication and how does it work in practice for IT professionals and end users? Learn more in this first of three-part MFA series.

Passwords alone are not enough to secure vital resources. Using WebAuthn for MFA helps increase security without introducing complexity. Learn more.

Blog

Using WebAuthn to Enforce MFA

Passwords alone are not enough to secure vital resources. Using WebAuthn for MFA helps increase security without introducing complexity. Learn more.

IT admins talk about enrolling in JumpCloud MDM, pulling disk space with System Insights, and MFA. Try JumpCloud Free.

Blog

The JumpCloud Lounge Q&A Roundup: Enrolling in JumpCloud MDM, Pulling Disk Space, & Using Hardware for MFA

IT admins talk about enrolling in JumpCloud MDM, pulling disk space with System Insights, and MFA. Try JumpCloud Free.