Using U2F Security Keys for MFA to Cloud Applications

Written by Zach DeMeyer on May 23, 2020

Share This Article

As the world’s distributed organizations look to tighten security practices across their remote workforces’ application access, many find that multi-factor authentication (MFA/2FA) provides consistent benefits. Depending on the type of MFA used, however, employees working from home may experience friction that administrators can’t support in person. 

Universal second factor (U2F) security keys, like Yubikey, provide a simple end user experience that ships to remote employees. By combining them with a cloud directory service, IT admins can enable secure access with MFA to systems, VPNs, and (of course) cloud applications.

How U2F MFA Works

As a practice, MFA is self-explanatory: a user must present multiple factors upon login when authenticating to a service. These factors are colloquially described as something you have (a smartphone app or physical key) and something you know (a username/password credential pair).

In use, many popular U2F keys are USB-based, plugging into an available port on their laptop. When logging in to a cloud application, end users simply push a button on the key after entering their credentials to authenticate.

The Efficacy of U2F MFA

Regardless of the type of factor used, MFA is generally one of the most effective security practices an organization can adopt. In a recent study, Symantec found that 80% of security breaches in the past few years could have been prevented by an additional authentication factor.

U2F MFA, however, sits atop the totem pole as the most secure form of ‘have’ and ‘know’ MFA. The Google Security blog evaluated several different factors and determined that U2F physical security keys prevent nearly 100% of attempts on an account, including targeted attacks.

Given the efficacy of U2F MFA, many organizations intend to implement or have already implemented the practice across their employee base, but with much of the world operating under a work from home model, enabling and enforcing U2F keys might present a challenge to newcomers.

Enforcing U2F MFA Across a Distributed Workforce

Unlike with methods that require a user’s smartphone such as SMS or TOTP, U2F keys are managed completely by the IT organization unless users have work-issued phones as well. As such, the onus is on IT admins to log, track, and provide keys to users, train them on use, and ultimately implement identity management tools for the keys’ effective use.

In any situation, IT admins need to track each key in relation to its respective user and apply U2F MFA across all their cloud applications for the organization. With a distributed workforce, IT admins ship each key to the user they’re associated with and ensure their core directory service can handle the remote identity and access management (IAM). 

Using the Cloud for U2F MFA Management

A cloud directory service like JumpCloud®’s Directory-as-a-Service® is ideal for managing remote users and their access to cloud applications, as well as systems, infrastructure, networks, files, and more. This widespread IAM capability is largely thanks to a multitude of context-driven authorization protocols which authenticate user resource access with a single core identity.

Specifically regarding MFA for cloud apps, Directory-as-a-Service leverages WebAuthN to enforce U2F MFA for access to the JumpCloud User Portal. Once logged in to the User Portal with their JumpCloud credentials and their associated U2F key, users can then access all of their applications and other cloud services through the SAML protocol.

Once WebAuthn support is enabled for the organization through the Admin Portal, admins register U2F keys in relation to each user, and then ships them their key. Through the Admin Portal, the IT department can also remotely provision user application access with the SAML protocol, including Just-in-Time (JIT) and SCIM provisioning support for select applications.

Learn More

If you’re interested in using U2F security keys for MFA on cloud applications your organization relies upon, consider consolidating your identity management through JumpCloud today. The entire platform is available for ten users for free forever — all you have to do is sign up.

Zach DeMeyer

Zach is a Product Marketing Specialist at JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, music, and soccer.

Continue Learning with our Newsletter