How Rippling runs IT: Strengthening MFA with Yubikeys

For any company that relies on cloud-based systems, multifactor authentication is a critical part of maintaining a strong security posture. As a security team supporting over 2,500+ employees, we believe not all MFA methods are created equal. 

Some of the most common methods, like SMS tokens or security questions, just don’t cut it for the amount of sensitive data we have to safeguard. These methods are especially prone to phishing, and they put the onus on employees to be vigilant. Rippling’s employees undergo extensive phishing-prevention training, but as much as we can, we want to free our employees from judging which sites are trustworthy. 

At Rippling, we employ various MFA methods; the method an employee uses depends on the risk associated with their function. Some employees are authorized to use platform authenticators, but in many cases, we require them to use hardware-based security keys. 

Our preferred hardware security key is the YubiKey. Yubikey allows employees to authenticate into their systems via USB, lightning, or NFC with a simple tap. Hardware keys like YubiKey are proven to be the most effective and trusted authentication methods for safeguarding data and mitigating phishing attacks. 

Why YubiKey? 

The YubiKey fits a standard USB, USB Type-C, or Apple Lightning port, as well as NFC functionality for use on mobile devices. It uses modern, WebAuthn standards to create a unique key pair between the service or app being signed into and the physical device. 

A YubiKey must be origin-bound to the domain for which it’s registered. That means it can only authenticate into the services and apps where you’ve already configured it, like Salesforce or AWS. If YubiKey doesn’t recognize the service, it won’t authenticate it, no matter how convincing it seems. This makes YubiKey especially secure against phishing and other sophisticated man-in-the-middle attacks. 

On top of being more secure, YubiKey is easier for employees to use. They won’t have to cross-reference and then type in a six-digit code to authenticate. Instead, they simply tap the YubiKey that’s plugged into their device. Then, YubiKey authenticates with a much more sophisticated code.  

How to implement YubiKey orders with Rippling

We’ve partnered with Yubico, creator of YubiKey, to make security management to enable customers using Rippling App Management to automate the purchase and shipment of security keys. We’ve built a robust integration with Yubico, so our customers get direct access to YubiKeys without having to manage a Yubico account or custom integrations.

Admins can create their own account using the YubiKey Ordering app, choose which employees automatically get a YubiKey, the type of YubiKey they will get, and manage billing—directly in Rippling. 

You can use Supergroups to set up ordering policies. A Supergroup is a dynamic group of employees built using any attribute you want—like department, location, tenure, and more—instead of individual user IDs.

Not only are Supergroups granular, the policies you can build using them are very configurable, too. It only takes a few minutes to define hyper-custom security policies and assign them to Supergroups. Then you’ll never have to worry about shipping keys to the right people again.

Let’s say you want a specific subset of employees to receive the YubiKey 5 NFC. You can start by building a Supergroup—employees whose work location is Remote, department is Engineering, and subteam is Infra. After that you can build a policy that says any employee in this Supergroup should automatically receive a YubiKey at their home address. 

At Rippling, we’ve found that using policies and Supergroups allows us to maintain a strong security posture without reinventing the wheel with every new hire. Plus, your team, the employee, and their manager can track the YubiKey’s shipping status in Rippling’s YubiKey Ordering app for extra visibility. 

Automating YubiKey management with Rippling

Because of YubiKey’s deep integration with Rippling, we can build powerful functionality that monitors and controls the YubiKey usage across our team. 

For example, our team has a workflow that monitors YubiKey activity for any Rippling employee who’s required to use one. If the YubiKey was delivered to the employees more than 3 days ago and they’re not using it as their MFA method, Rippling automatically sends a notification to that employee and their manager. 

We’ve built this using Workflow Studio. In Workflow Studio, we go to the YubiKey category, select “Order details,” and then choose “Delivered at” as the field. By selecting “is exactly 4 days ago,” we’ve created a trigger that will fire when a YubiKey has been delivered more than 3 days ago.

But since we don’t want the trigger to fire any time one of our employees had had their YubiKey for more than three days, we need to add another trigger to the workflow’s condition. 

For the second trigger, we go to the Employee category, search for “MFA method” as our field, and then specify the trigger should fire when this field is “anything except a security key.” Now, the workflow will only happen if both triggers of the condition are met.

This way everyone is aware of what has happened—and we can address the security gap. 

For your convenience, we’ve set up this workflow for you to install here. But you can build any number of workflows using the data associated with your YubiKey and apply them to any group that you want. Generally, workflows are a great way to proactively monitor all of your security risks, especially as you scale.

This is just one example of how we use YubiKeys to maintain a stronger security posture—and Rippling to create an additional layer of protocol. The Rippling App Shop has hundreds of integrations with third-party apps, many of which can help your company foster a stronger culture of security.