Break glass accounts are crucial accounts that provide access to critical systems during a variety of emergencies. Microsoft’s recent announcement on the enforcement of multi-factor authentication (MFA) for Microsoft Entra ID sign-ins highlights the impact on break glass accounts and improved security postures: “We have heard your questions about break glass or ‘emergency access’ accounts. We recommend updating these accounts to use FIDO2 or certificate-based authentication (when configured as MFA) instead of relying only on a long password. Both methods will satisfy the MFA requirements.”
As a safety net during various emergencies, break glass accounts are important for scenarios including:
- Network or Service Outage: When network connectivity or internet access is disrupted, preventing authentication over telephony transports and wireless networks.
- Failure of Federation Services: When the identity provider offering federated authentication experiences a service disruption.
- Privileged Role Member Unavailability: When members of privileged roles, such as the Global Administrator, have left the organization or are unavailable.
- Privileged Access Management Tool (PAM) Unavailability: When PAM tools used to securely store access credentials for high-privilege users are unavailable due to disruption or maintenance.
However, the security of these accounts is often overlooked. This oversight can be addressed by leveraging device-bound passkeys residing in devices purpose-built for security such as YubiKeys, to achieve high assurance authentication. As we delve into the specifics of using YubiKeys for break glass accounts, it’s crucial to understand the compelling benefits they offer in enhancing account security.
Why YubiKeys are a critical security tool for break glass accounts
One of the biggest advantages of YubiKeys is their ability to support passwordless authentication using passkeys. Passkeys eliminate the operational overhead of password management and reduce the risk of password-related security breaches. Passwordless authentication is not only more secure, but also more convenient – ensuring that access is both easy and secure during an emergency. Additional benefits include:
- Phishing-resistant MFA backed by hardware
- Passkeys stored on YubiKeys offer robust security through the FIDO2 protocol, providing phishing-resistant MFA. Unlike passwords that can be phished or stolen, device-bound passkeys on YubiKeys use public key cryptography binding the domain to the credential. Passkeys reside in the YubiKey hardware form factor and cannot be exfiltrated or remotely compromised as the private key never leaves the authenticator – ensuring the highest level of security for organizations.
- Reduced service dependency footprint
- Passkeys on YubiKeys operate independently of traditional MFA methods that rely on external systems, such as SMS or push notifications, which depend on network connectivity and telecommunication services. In cases where these services are disrupted, device-bound passkeys on YubiKeys ensure a reliable authentication method that remains unaffected by such dependencies.
- Ideal for offsite storage
- YubiKeys don’t contain moving parts and are designed to be simple and robust, with a solid-state construction that contributes to their reliability. They don’t require batteries or an external power source, as they draw power directly from the USB or NFC connection when in use, making them ideal for offline storage and offsite locations.
With a clear understanding of why YubiKeys are a critical security tool for break glass accounts, let’s now explore the practical steps to set them up effectively. Implementing these steps will ensure that your emergency access accounts are both secure and readily accessible when needed.
Setting up YubiKeys for break glass accounts
- Create a Security Group: Start by creating a security group specifically for your break-glass accounts. Assign the Global Administrator role to this group.
- Use Cloud-Only accounts: Create accounts native to identity and service provider platforms ensuring they aren’t federated or synchronized.
- Register two YubiKeys: Each break-glass account should have two YubiKeys registered to ensure redundancy.
Some additional best practices for security of accounts include:
- Policy exclusions: Make sure your policies do not block access to break glass accounts which will require unimpeded access during an emergency.
- Secure storage: Store YubiKeys in secure, separate locations to prevent unauthorized access.
- Document procedures: Clearly document how to access and use break glass accounts and train your team on these procedures.
- Regular testing: Regularly test the processes to ensure they work as expected during an emergency.
Additionally, consistently monitor activities related to break glass accounts and set up alerts for any changes or usage. Periodically review who has access to ensure that only authorized personnel can use these accounts. This helps maintain the security and integrity of your emergency access procedures.
YubiKeys provide an excellent solution for securing break glass accounts, with their support for passwordless authentication, strong phishing-resistant MFA, reduced service dependency footprint, and solid-state design ideal for offsite storage. By deploying YubiKeys and following recommended practices, you can ensure that your emergency accounts are always secure and ready for use. Regular training, rigorous testing, and continuous monitoring ensure that everything remains in order, giving you confidence that your critical systems can be accessed during a crisis event.
Don’t miss our newest blog detailing the Microsoft MFA Mandate and the recently announced Microsoft Entra ID FIDO2 provisioning APIs that give organizations the option to develop or leverage alternative administrator-led provisioning clients that support the setup of YubiKeys. Be sure to also check out our recent blog post here for more info on all the ways you can incorporate YubiKeys across the Microsoft ecosystem.
For any questions and to learn how to get started implementing YubiKeys for your business, contact our team here.
