I'm considering getting a YubiKey 5 as part of my company's SOC 2 compliance work. Is it actually good?
I'm also considering making my 8 employees use VMs to access our data since SOC 2 requires device management. Is there a way to do that that wouldn't be a pain for the end users?
no clue what this key shit is but VMs will always be a pain to your employees. anything graphical will always be slow over a network and it will be annoying for them. i spent a good 3 work days just trying to avoid having to use the VMs at my job. i've resorted to using ssh with nothing graphical to do my work.
Fair enough, I was planning for it to be something local on their personal devices with VirtualBox/HyperV
that seems weird. you can't just manage the local computers?
If you're snowden or assange, sure. But anything other than that no
>their personal devices
NGMI
buy used thinkpads and provision those to employees.
I contract to a fortune 100 company and they gave me a UbiKey for authentication years ago, and forced me to register my phone for additional 2FA using a Google Authenticator app. Their services have slowly switched from the UbiKey to my phones Google Authenticator. I haven't used my UbiKey in probably a year.
>YubiKey
If they haven't fixed the ROCA vulnerability then they are worthless as a security device.
Technically yes, but they're the personal devices of the employees so that seems wrong
BYOD policies are bad. Issue them company laptops.
why would you even let employees to use their own personal devices on work, isn't that against every security guideline there is
BYOD is then other stuff, but in that case you just provision it as your managed laptop
Citrix would probably be your best bet. Some people at my job don't even use the company issued laptops and just use a citrix workstation on their personal computer.
It's mostly just because it's expensive and annoying to manage if they get fired
>yubikey
Non-foss = botnet
>it's expensive
old chinkpads are like €200(~$200) each, you should afford that
>annoying to manage if they get fired
how so? you just make them return the laptop and delete their files, they do not have admin access anyway so deleting the account is enough. and in case they decide to steal it you just call the cops
do NOT buy these "open source" security keys, I've got solokeys and a nitrokey, they all suck, never work as advertised
I was considering them as alternatives to a yubikey. Can you elaborate your problems?
very poor build quality for a start, the solokeys are just components soldered on to a PCB with a silicone sleeve over it, had a LED failure within a year. The Nitrokey has a flimsy case.
The software is just very barren, Nitrokey doesn't have a GPG firmware yet, I'm not sure about the solokey one, I think they've completely abandoned that product.
Really, these keys cost as much as a yubikey but are just half-assed copies, with some "open source" marketing slapped on to appear worth of supporting. They are not.
That was like 5 years ago. They fixed it rather quickly and gave everyone who sent them a picture of their key a free replacement.
i can assure you that you, as a supervisor, is far more heartless than the average person. if they were happy at the job, they will not steal it. just don't be a shit boss.
btw are your employees in the tech field? if so, you could discuss this with them. instead of shitters on the internet.
> closed source
> NSA backed
If you just want authentication, then it’s probably the best hardware token.
If you want any security/privacy, look into Nitrokeys or similar.