YubiKeys are a core component of a strong security solution, well-suited for call centers’ authentication needs. The multifunctional capability that leverages many different authentication protocols on a single device provides the flexibility that call centers need. Although companies understand the value of providing strong authentication, not all of them have dealt with a decentralized hardware-based authentication model. The shift away from a centralized software authentication model brings up a number of questions; particularly about deploying and managing YubiKeys. This document will provide guidance on how companies can deploy and manage YubiKeys.
The call center environment is fast-paced, handling large volumes of transactions. Call centers typically operate 24 x 7 with multiple shifts. Operators need to have a lot of information at their fingertips to be able to respond quickly to customers. Their work can involve highly sensitive information. Properly protecting that data is crucial to call center employees and their management. Anyone dealing with sensitive information usually has to follow regulatory requirements for strong authentication, including two-factor authentication. Many two-factor authentication offerings require the use of a mobile phone. This can be a particular challenge for call centers as they must prevent bad actors from using the phone’s camera to take pictures of sensitive customer information. This forces call centers to prohibit mobile devices.
This document is intended for those interested in implementing YubiKeys in a call center environment. It sets out the considerations involved in a successful deployment. The document will provide guidance for decision-makers and project managers on the key decisions that need to be made when deploying YubiKeys. This document does not provide the steps for technical implementation; instead, it provides links to the appropriate deployment guides.
Leveraging YubiKeys in the Call Center
Yubikeys are an ideal authentication solution for call centers, in that the YubiKey is a multi-functional authentication device that can be leveraged in a variety of authentication scenarios. In addition, the YubiKey integrates with the majority of access management and Single Sign-On providers.
Workstation Login Options with YubiKeys
To render initial login to the call center more efficient, the YubiKey can replace the login password if it is deployed as a smart card. Instead of entering a password to login, the operator simply presents their YubiKey (USB or NFC may be used) and types a PIN that changes rarely, if ever. Many call centers leverage virtual desktop infrastructure (VDI) to improve security and operational efficiencies. YubiKeys work with VDI software to provide a seamless and secure login experience.
Benefits of YubiKeys for Initial Login
Faster login/logout experience: YubiKey as a smart card eliminates the need for the user to enter username and password to authenticate. PIN entry is less error-prone because PINs are usually simple and they do not expire. Also, an additional layer of security can be provided through a lockout or logout event triggered when the YubiKey is unplugged.
Fewer passwords to remember: Leveraging the YubiKey to log into a workstation with a PIN reduces the number of passwords a person has to remember and therefore the number of calls to the Service Desk when passwords are forgotten.
Built-in two-factor authentication (2FA): Smart card implementations meet 2FA requirements. In addition, most federation tools have built-in smart card support to enable single sign-on and/or 2FA support.
Third party tools can also be leveraged for initial 2FA login with YubiKeys without a smart card implementation.
Strong authentication with granular controls: YubiKeys meet the highest authentication standards such as NIST SP 800-63. Additionally, in a Microsoft environment, the system can recognize whether an operator logs in with a smart card or with a username and password. This enables additional access to be automatically granted when the system recognizes a user logging in with a smart card.
Locally managed onboarding tools: Out-of-the-box and/or third party tools can be used to delegate the management of smart cards to front-line personnel. Call centers have flexibility in how they manage onboarding, support, and offboarding events. Tools are also available to provide self-service, local management, or centralized support to manage smart cards.
As smart cards, YubiKeys provide a significant amount of out-of-the box functionality. However, they do require a PKI environment. PKI environments can be straightforward or complex, and care should be taken to design the environment for a company's specific needs.
2FA Options with YubiKeys
Yubikeys are commonly used to provide a second factor for authentication. This provides additional security and meets a number of regulatory and customer requirements that call centers must adopt. With YubiOTP (OTP = one-time passcode), the YubiKey provides commonly used OTP-based capabilities as well as more enhanced OTP capabilities. The YubiKey also supports the FIDO2 and U2F second factor standard, which Yubico pioneered. This standard combines high security with ease-of-use to provide additional protection against phishing attacks. YubiKeys also support standard time based (TOTP) and hash based (HOTP) one-time passcodes that are common across the industry. The YubiKey is not bound to a mobile device, making it an ideal option for call centers and nor does it require a PKI environment.
Benefits of YubiKeys for 2FA
Faster 2FA experience: Less time is wasted logging into systems with YubiKeys. By requiring a user to do no more than touch the YubiKey instead of requesting, receiving, and typing in a code, 2FA significantly speeds up the user login process. Google did an extensive study and found that using YubiKeys decreased login time by nearly 50 percent. In a call center where time is critical, this increase in operative efficiency is significant. The more applications an operator needs to log into, the more important this becomes.
Durable: Being extremely durable, YubiKeys are used in extreme environments. The devices do not require cell or internet access to function properly so locations with poor coverage do not affect the keys’ ability to function. Additionally, unlike phones or apps, they do not need to be updated or externally powered.
Quick Setup: 2FA setup can be fast and does not require an IT administrator. This means that deployment of keys to new employees is very quick.
Strong Authentication: Hardware-backed authenticator leveraging U2F protocol provides a very strong second-factor authentication. Additionally, YubiKeys provide a strong and flexible OTP solution.
YubiKey Management in a Call Center
Key management is an important topic due to high security requirements and high turnover in call centers. Following standard processes, YubiKeys do not pose a security risk if they are lost or not returned on separation. If there is a requirement that YubiKeys be retained and/or reset so they can be reused, this is also an option. For more information on reusing YubiKeys, refer to the YubiKey LifeCycle Management - Key Retirement document.
Controlling YubiKeys in Different Environments
Call Centers differ on the strictness of their operational controls. The management of YubiKeys should align with how other operational controls are managed. Below is a list of options on how to manage YubiKeys at different control levels. At all levels, an efficient process to report and revoke access for lost YubiKeys must be in place.
Strict Controls: Strict controls of YubiKeys can be addressed by handing out the key at the beginning of an operator’s shift and returning it to the manager or security guard at the end of the shift. In this scenario, the keys never leave the building and are locked up while not in legitimate use. This procedure can be adopted for reasons of economy, too.
To ensure the keys are returned, some companies have check-in and check-out processes that exchange personal belongings, such as phones that are not allowed in the call center, with their YubiKeys. When the operators return the YubiKeys, they get back their phone or other personal belongings. For easier identification, YubiKeys can be attached to a lanyard along with the company badge.
Having a check-in / check-out process can be time-consuming. It is important to ensure the process is as efficient as possible while meeting the strict controls.
Medium Controls: At the medium level, an operator would have control of the key but would only be issued one YubiKey. If they lose the key, they would need manager approval to receive another YubiKey from the security team. The security team would deactivate the lost YubiKey.
Alternatively, a simple notification could be sent to the manager when a YubiKey is issued. This reduces friction for the operators and allows the manager to only take action when needed. The operator would be required to return the YubiKey on separation.
Low Controls: At a low level of control, an operator has control of a YubiKey at all times and does not need to turn it in at the end of their shift. If the operator loses or forgets their YubiKey, a self-service process could be used to ensure employees can quickly return to work. Some companies have installed vending machines that hold YubiKeys so an operator can quickly acquire a new key. The operator could be required to pay for the replacement YubiKey.
For virtual call centers it is recommended that the operator have a backup YubiKey that can be used if the primary key is lost. At this level, it is assumed that operators are not required to return YubiKeys, as workplace efficiencies are more important.
In summary, YubiKeys are well-suited for call centers. They provide strong authentication that is very fast, and they do not require the use of a mobile phone. YubiKeys provide an array of authentication options to meet a call center’s needs. With the proper set of physical control processes, key loss can be greatly reduced.