I'm really interested in learning how others are tackling multi-factor authentication (MFA) for breakglass accounts in fully remote companies. Currently, I'm configuring a breakglass account in Azure and hit a snag: I can't use One-Time Passwords (OTPs) from my regular password manager. Our tenant also lacks certificate-based authentication, so that option is off the table. From what I've seen, Microsoft is pushing for passwordless MFA, which seems to narrow it down to using FIDO2 as the primary method. How are other organizations managing this? Are you using hardware keys like YubiKeys? How do you handle multiple keys amongst team members? I'd love to hear your approaches!
5 Answers
Using a password manager that generates OTPs is another method. We utilize Keeper for this, but I have run into issues where TOTP tokens sometimes stop working altogether. Usually, I store the token in 1Password; I’ve even tried Microsoft Authenticator with no luck.
We each have 3 YubiKeys linked to our breakglass accounts. Three different employees hold physical YubiKeys, and they know the PINs for the other two keys. This way, at least two people have to collaborate to access the breakglass account, which adds an extra layer of security. We do a routine test every 90 days to ensure everyone remembers their PINs and we reset them after each test.
I've just implemented YubiKeys for breakglass accounts as well. It alerts us when someone logs in, which helps maintain oversight. Logins to these accounts generate an automatic alert to keep us in the loop.
FIDO2 keys are definitely the way to go. They've proven to be reliable especially for securing breakglass accounts. To ensure everyone knows how to use their keys, we run drills frequently. It’s critical not to discover in a crisis that someone has forgotten how to utilize theirs!
We keep YubiKeys stored securely in a safe. It’s straightforward and allows easy access when needed without compromising security.
How did you come up with this specific setup? Is it based on any best practices?