How to use YubiKey on RDP sessions
If you already have YubiKeys, you probably bought them for a specific use case. Did you know you can also use YubiKey to secure Remote Desktop Protocol (RDP) connections? With UserLock, it’s easy.
Published November 19, 2024If you already have YubiKeys, you probably bought them for a specific use case. Did you know you can also use YubiKey for secure multi-factor authentication (MFA) on Remote Desktop Protocol (RDP) connections? With UserLock MFA, it’s easy.
Here’s how YubiKey and UserLock MFA work together to deploy MFA on RDP connections, across both domain and off-domain machines.
RDP connections are widely-used. Unfortunately, they are also vulnerable to attack. As an additional layer of security, MFA makes it difficult for hackers to exploit these vulnerabilities. And more and more regulatory and cyber insurance requirements now mandate MFA on RDP connections.
We work with a lot of organizations that want or already have YubiKeys for specific use cases. Depending on how many users you have, YubiKeys are often a big investment. The ability to use them for secure MFA across more connection types, like Windows logons and RDP connections on off-domain machines, helps justify the expense even more. Not to mention, you get all the benefits of a highly secure MFA method on frequently-exploited connection types.
Remote workers handle sensitive data in situations that often aren’t totally secure (we’ve all seen laptops with sessions left open at the coffee shop). UserLock MFA with YubiKey on RDP connections offers both ease of use and high security for your remote workforce.
Why? Well, attackers would need to physically get their hands on the key and the user’s password to bypass MFA. Is that possible? Sure. There’s always the risk an employee will forget a key somewhere, or it could get stolen. And passwords are notoriously easy to hack. But in either scenario, either a threat actor gets really lucky, or they have to go to a lot of trouble to get that key.
For many organizations already using YubiKeys, all of this makes it an attractive option to add MFA with YubiKeys on RDP connections.
Since the early days of the shift to remote work, the importance of MFA for RDP is a given. In fact, it's a common requirement across many compliance mandates, cyber insurance guidelines, and security best practices.
YubiKey works well across many authentication scenarios. However, its application for Windows RDP from off-domain machines presents a challenge.
Consider a hybrid organization with employees that frequently work from home or traveling. At the office, in-house system accesses are protected by YubiKey's MFA. But guaranteeing the same security level for off-domain RDP connections with these partners is more complex. Today, YubiKeys are complex to use as an MFA method for RDP connections from machines that aren’t on the domain.
Scenarios like these aren't outliers. In fact, they're becoming the norm. And as work extends beyond the four walls of the office, finding ways to use your YubiKeys across more use cases, such as RDP connections from off-domain machines, is an important boost to security and your budget.
So, as we mentioned above, implementing MFA for RDP from off-domain machines with YubiKey isn’t natively possible. This is where UserLock comes into play.
UserLock, seamlessly integrating with your Active Directory, offers the technical capability to use your YubiKeys to deploy MFA on RDP connections. This ability, crafted for straightforward implementation, benefits both administrators and end-users.
However, there is a catch: you have to be able to first enroll your users’ YubiKey on a local connection. Curious about the procedure? Our step-by-step guide to onboarding YubiKeys for UserLock provides a clear roadmap.
Configuring YubiKey for Windows and RDP is possible without UserLock, but complicated. Another benefit of UserLock is that you don’t have to configure certificates and worry about them expiring, which could block users from connecting.
To set up YubiKey RDP MFA through UserLock, you’ll want to first install desktop agents on target machines. This ensures comprehensive coverage for local, RDP, RD Gateway, and VDI connections.
Plan your deployment meticulously, starting with IT admins and gradually extending to other users. UserLock MFA supports various authentication methods like UserLock Push notifications, third-party authenticator apps, USB tokens, and programmable tokens, providing a versatile and robust security layer.
Customizable MFA prompts, recovery codes, and skip options add flexibility. So user enrollment is seamless and day-to-day management is easy for IT.
To-date, UserLock does not allow the ability to remotely enroll users with YubiKeys on off-domain or BYOD devices.
As always, balancing security with convenience is key. The combined power of YubiKey and UserLock brings distinct advantages.
Here are the key benefits:
Advanced authentication: Integrating YubiKey with UserLock adds a strong security layer, making any unauthorized access more challenging.
Contextual access controls: UserLock's ability to set contextual restrictions is a game-changer. Administrators can customize access based on various parameters, such as the user's location, access time, or device use. This granularity ensures dynamic yet secure access policies.
Protection against compromised credentials: In scenarios where user credentials might be exposed, the combined strength of YubiKey and UserLock acts as a formidable barrier, ensuring that unauthorized entities can't exploit these credentials.
Efficient login process: YubiKey's design is user-centric. A simple tap is all it takes to authenticate, eliminating the hassles of remembering complex codes or relying on additional devices.
Uniform user experience: Regardless of their role within the organization, every user encounters a seamless and intuitive interface. This uniformity ensures that security measures are consistently applied across the board.
Internet optional: One of UserLock's standout features is its on-premise hosting capability, which offers a significant advantage when combined with YubiKey. Users don't need to have an internet connection to complete MFA, making UserLock an ideal MFA solution to maintain security and compliance no matter where your users logon.
Adherence to regulatory standards: Regulatory compliance is a pressing concern for many organizations. Combining YubiKey and UserLock ensures alignment with cybersecurity standards, streamlining the compliance process.
Detailed auditing: Transparency is crucial in today's business environment. UserLock's auditing capabilities provide a clear trail of user activities, ensuring that organizations can swiftly address anomalies and maintain accountability.
Protection from data breaches: Data breaches can tarnish an organization's reputation and produce hefty financial penalties. By tightly controlling access to sensitive data, the risk associated with breaches is significantly mitigated.
Integrating YubiKey with UserLock offers organizations a strategic advantage, ensuring enhanced security, user convenience, and regulatory compliance.
Read more about UserLock and YubiKeys for MFA on Windows domain logons
UserLock is designed to tackle potential security threats. Recognizing and responding to these threats is critical for the safety of organizational data and network integrity. Here's a closer look at the security challenges and a comprehensive solution:
Users often access systems from various entry points, sometimes spanning different continents. While this offers flexibility, it also presents a security challenge. Shared credentials or a potential breach can manifest as simultaneous logins from different locations.
UserLock's monitoring dashboard makes it easy to spot such high-risk behaviors, especially when access points are detected within and outside the local network, ensuring timely interventions.
Cybercriminals often employ brute-force attacks, attempting multiple logins to gain unauthorized access. UserLock's default setting flags any user with more than five failed login attempts within a 30-minute window, and can automatically block access.
However, understanding that one size security doesn't fit all, UserLock allows you to customize this threshold, aligning with your organization’s unique risk profile.
The digital workspace's dynamic nature means users might (and often do) have multiple sessions open. However, an unusual surge or an unexpected session type are red flags that admins don’t want to miss.
On the monitoring dashboard, UserLock shows a “User status” as a way to raise visibility on risk when the number of sessions or the type of initial access points exceeds a predefined limit, ensuring that anomalies don't go unnoticed.
Attempts to access your system using accounts that are locked or disabled in Active Directory are clear indicators of suspicious activity. UserLock's proactive monitoring system instantly flags such attempts, adding an extra layer of security to the network.
Every organization has a flow of personnel — new hires, consultants, or even returning employees. UserLock tags users as “new” if they access the network for the first time or after prolonged inactivity.
This feature ensures that any unfamiliar or unexpected access is immediately brought to the attention of the administrators.
YubiKey's strength lies in its MFA capabilities. However, it can of course be misplaced or fall into the wrong hands. Users must be careful about how they store and handle their YubiKey.
Administrators can conduct regular awareness sessions to educate users about the importance of keeping their YubiKey safe, ensuring that this critical security tool remains effective and in the right hands.
In case of loss, UserLock's optional "Ask for Help" MFA feature can alert administrators to take timely actions like resetting the MFA key or temporarily disabling MFA.
As threats evolve rapidly, UserLock, especially when paired with a secure MFA method like YubiKey, adds effective layers of security to prevent unauthorized access to your network.
Together, UserLock and YubiKey offer top-tier protection and a user-friendly experience to secure RDP connections.
With strong, straightforward MFA for your remote workforce, you can meet even the toughest compliance standards.
That said, security isn't one-size-fits-all. As always, the challenge for IT teams is to balance operational productivity and robust security.
Alternative authentication methods like push notifications or authenticator apps also provide strong security measures. While these methods may lack the almost impenetrable protection offered by hardware tokens and keys, they often make up for it by being more user-friendly for certain use cases and organizational settings.
This is where MFA solutions like UserLock come into play, offering administrators the latitude to tailor their security measures. With the ability to implement up to two different MFA methods, UserLock provides the needed adaptability to match varying organizational needs and risk profiles.