Overview
This article discusses Palantir's journey in implementing FIDO2 authentication using hardware authenticators, specifically YubiKeys, to enhance security against sophisticated threats. It outlines the threat model, hardware selection process, self-service ordering portal, and the overall implementation timeline.
What You'll Learn
1
How to implement FIDO2 authentication using YubiKeys
2
Why hardware-backed authentication is essential for security
3
How to set up a self-service ordering portal for hardware authenticators
4
When to use roaming versus platform authenticators
Prerequisites & Requirements
- Understanding of FIDO2 standards and authentication mechanisms
- Familiarity with Azure Active Directory for identity management(optional)
Key Questions Answered
What is the threat model that Palantir uses for authentication?
Palantir's threat model emphasizes strong security against sophisticated adversaries, focusing on eliminating risks from compromised credentials and phishing attacks. They implement a zero-trust philosophy and mandatory multi-factor authentication to safeguard against unauthorized access.
How does Palantir select hardware authenticators for FIDO2?
Palantir chose the YubiKey 5 FIPS series for its compliance with FIPS 140-2, native FIDO2 support, and supply chain assurance. This selection was crucial for meeting their security and logistic demands for a global workforce.
What features does the self-service ordering portal provide?
The self-service ordering portal allows users to order YubiKeys directly, choose their preferred form factor, and have keys shipped to their location. This increases the speed of distribution and reduces the need for centralized operations involvement.
What challenges did Palantir face during the FIDO2 implementation?
Palantir encountered challenges such as immature platform features in Azure AD, unsupported applications, and the need for behavioral changes among employees. The project took approximately 16 months to complete, highlighting the complexity of enforcing passwordless authentication.
Key Statistics & Figures
Number of YubiKeys ordered via self-service portal
almost 6,000 keys
This reflects the efficiency of the self-service ordering system implemented at Palantir.
Duration of the FIDO2 implementation project
approximately 16 months
This timeframe highlights the complexity and challenges faced during the transition to passwordless authentication.
Technologies & Tools
Hardware
Yubikey 5 Fips Series
Used for FIDO2 authentication to enhance security across Palantir's systems.
Identity Management
Azure Active Directory
Serves as the identity provider for managing user authentication and enrollment.
Key Actionable Insights
1Implementing hardware-backed authentication can significantly enhance security against phishing attacks.By adopting FIDO2 standards and using hardware authenticators like YubiKeys, organizations can mitigate risks associated with compromised credentials and improve overall security posture.
2Creating a self-service portal for hardware procurement can streamline logistics and increase efficiency.Allowing users to order their own YubiKeys reduces the burden on IT teams and accelerates the distribution process, especially in large organizations with global teams.
3Choosing the right type of authenticator is crucial for user experience and security.Palantir opted for roaming authenticators to ensure flexibility for users working on various devices, which is essential for maintaining productivity in diverse environments.
Common Pitfalls
1
Underestimating the complexity of implementing passwordless authentication can lead to significant delays.
Many organizations may not anticipate the challenges associated with user behavior changes and platform limitations, which can hinder the rollout process.
2
Neglecting to provide adequate user education and support can result in increased frustration and resistance to new systems.
Without proper training and resources, users may struggle to adapt to new authentication methods, leading to potential security risks.
Related Concepts
Fido2 Authentication Standards
Zero-trust Security Models
Hardware Security Modules
Multi-factor Authentication Best Practices