We received a request from a company that handles credit cards to strengthen the authentication of PCs located in closed network areas to comply with PCI DSS. In response to this problem, YubiOn proposed the use of two-factor authentication for PCs by introducing the endpoint security product YubiOn WindowsLogon Standalone and the authentication device YubiKey, leading to a solution to the problem. This time, we will introduce the specific contents.
Introduced Organization
Credit card company Deployment scale:
YubiOn WindowsLogon Standalone Applied to more than 20 PCs in the closed area of the company network
Authentication device YubiKey Arrange a YubiKey for each user ※ Arrange rewritten YubiKey settings so that they can be used with the above software.
Issues
PC authentication enhancement issue due to PCI DSS compliance The PCs in the closed network area are managed by Active Directory (AD), and the logon of the PCs was authenticated by ID + password. The challenge this time is to strengthen the authentication of PCs without affecting the existing AD environment in the closed network.
Solution
Deploying YubiOn WindowsLogon Standalone By installing our software on PCs, two-factor authentication of PCs using the authentication device YubiKey is possible. The Standalone version does not require network communication, so it can be used in closed areas. In addition, it can be installed without affecting the existing Active Directory environment*1. Moreover, the introduction of this software has achieved the following effects: Security with YubiOn WindowsLogon Standalone
Two-factor authentication (OTP) YubiKey at PC logon
Automatic screen lock when YubiKey is pulled out → You can leave your PC with peace of mind when you leave your seat.
Master key setting → You can set a master key that allows you to log on with any account. It can be used for emergency logon when YubiKey is lost.
*1 I will explain why it does not affect the existing AD.
When YubiOn WindowsLogon Standalone is installed, authentication by the authentication device YubiKey is performed before normal Windows authentication. Since it does not affect the authentication part of Windows, it can be introduced without changing the current settings even in an AD environment.
Adoption of YubiKey This time, the YubiKey 5 series, which can be customized, have been adopted. YubiKey's setting is rewritten in advance so that it can be used with our software*2. We have received feedback that it is easy to use because all they have to do to log on to their PCs is insert the YubiKey into the USB port and touch it. We also received inquiries about what to do if the YubiKey is lost, and we propose the following method to back up the YubiKey: About YubiKey backup Purchase two YubiKeys for each user and keep one as a backup. Also, purchase one YubiKey to set up a master key that allows you to log on with any account. If you lose your YubiKey, use your backup key or temporarily use your master key to log on. When you can log on with your new YubiKey, remove the lost YubiKey from the account settings.
*2 About the YubiKey to be used
The YubiKey used with this software required rewriting of some settings. YubiKeys purchased from Amazon, etc. cannot be used, so please purchase the YubiKey and the software as a set from us.
Finally
The products and authentication device information introduced this time are summarized below. Please feel free to contact us if you have a request.
Deploying YubiOn WindowsLogon Standalone For product details, please refer to the product introduction page. ※ Since the YubiKey used with this software needs to be set, please purchase it with the software as a set.