Document Purpose
The purpose of this document is to provide guidelines and best practices concerning management of YubiKeys when a person leaves the company. YubiKeys provide access to company resources and that access needs to be properly managed on termination. The goal of this document is to provide a high level approach to managing YubiKeys when workers resign so that proper processes and procedures can be implemented. This document is not intended to be a step-by-step guide as every company’s requirements are unique.
What to do with workers’ YubiKeys when they leave?
As employees, contractors, and partners separate from a company, the question arises on how to properly manage YubiKeys issued to them. It can be difficult to recover all the YubiKeys that a person is using. Users may be remote or may have accumulated a number of keys over time. In most scenarios it will be challenging to recover all keys.
Best practices:
-
Disable a user’s account and revoke credentials at the time of separation. When the accounts are disabled, then the associated YubiKey cannot be used to access company resources.
-
Do not reuse / reissue YubiKeys. Dispose of retired YubiKeys following your company’s electronic waste disposal guidelines.
What is the risk of not recovering a YubiKey?
The YubiKey is a multifunctional security device and by following proper security best practices of revoking and disabling credentials, the YubiKey can no longer be used to authenticate. The YubiKey can have multiple credentials stored on the device, so it is important to ensure that all related account credentials are disabled at the time of employee separation.
OpenPGP Consideration
Encryption keys that are issued to users need to be issued from a secured station, not generated on the YubiKey device. The Encryption keys can be imported onto the YubiKey for use. The Encryption keys must also be archived in a secure location. This ensures that when the user leaves, there is no chance that they can walk off with access to encrypted files. Signing and Authentication keys are less critical. The Signing and Authentication keys should be revoked and removed from the accounts they are associated with.
If policy allows it, the YubiKey can also be used for personal use in the case of using U2F for two factor authentication to websites like Google and Facebook. We encourage organizations to put exit processes in place where the company’s appropriate representative can ask the worker if they have set up the YubiKey for personal use so access is properly managed going forward.
Should YubiKeys be reused?
YubiKeys could be reused. There are a number of considerations that need to be taken into account when deciding on whether or not to reuse YubiKeys. Besides removing and reissuing credentials, tracking systems may need to be updated. If a company is tracking which users are using YubiKeys, then the tracking system needs to be updated when the YubiKeys are reassigned to another person. Companies should ensure that historical data of who owned which YubiKey be tracked in order to make sure the process can be as efficient as possible. Ensuring that all upstream and downstream systems have accurate information while at the same time properly resetting the YubiKey should also be considered. If a Certificate Management System (CMS) is managing the YubiKeys, it could be leveraged for the reuse processes. A company should allocate time for properly resetting the YubiKey. In some cases, issuing a new YubiKey could be preferred.
Resetting a YubiKey
If a company does want to reuse a YubiKey, or if the company just wants to remove all information on a YubiKey, it is important to follow the support guidelines linked below. Care must be taken to ensure that all the information is removed. The YubiKey has multiple applications that need to be reset independently. If a YubiKey application is managed by another system; such as a smart card CMS, follow that system’s processes to appropriately reset the YubiKey and clean up any backend management system’s information. The company’s operational process (e.g. resetting all YubiKey applications, updating tracking systems, updating upstream and downstream systems) to reset the YubiKey should be automated and tailored to the company’s needs. It is a best practice to reset all applications regardless of whether the company is using them to ensure all data is removed. Yubico has a number of partners who offer consulting services to assist in developing automated processes that will work for their particular needs.
Support documentation for resetting YubiKey 4 and/or YubiKey NEO to factory defaults can be found at: https://support.yubico.com/support/solutions/articles/15000008845-resetting-your-yubikey-4-or-yubikey-neo-to-factory-defaults
Support documentation for resetting YubiKey 5 to factory defaults can be found at: