Introducing Rippling + YubiKey: Better security, less busywork


Sep 16, 2021

With remote and hybrid workforces becoming the norm, it’s becoming increasingly hard for IT managers to implement security policies that can protect their organization’s data. This is especially true when their remote workforce has a bring-your-own-device policy.

Modern organizations prioritize the implementation of multi-factor-authentication (MFA) to ensure that the person logging in to company systems is who they say they are. For companies with sensitive data, MFA is critical for maintaining a strong identity management system.

But some basic MFA methods, like SMS tokens or security questions, put the onus on individual employees to determine whether they’re entering their information into a legitimate website or being phished by a fake website. As amazing as your employees are, a policy that relies on employee vigilance isn’t a resilient one. What results is a loosely implemented MFA policy that leaves sensitive company data susceptible to hackers.

This is where the YubiKey comes in. The YubiKey is a modern, hardware-based security key that allows employees to authenticate into their systems via USB, lightning, or NFC, with a simple tap. Of the various MFA types, a hardware key like the YubiKey is proven as the most effective and trusted authentication methods for safeguarding your data and mitigating phishing attacks. 

Security made easy with the YubiKey Ordering app

We’re excited to announce the launch of Rippling’s YubiKey Ordering app. It takes the security busywork out of employee onboarding while enabling administrators to implement security protocols that really protect the business. Even simpler? With the YubiKey Ordering app, you can manage YubiKey licenses directly through the Rippling dashboard. No need to set up a new vendor or manage the logistics of shipping a physical key to every remote employee.

Here at Rippling, we believe that the YubiKey hardware key is a critical part of cybersecurity—so much so that we’re implementing YubiKey authentication across our entire organization to protect our accounts and company data. Below, we’ll explain why YubiKeys are more resilient than other means of MFA.

Why do you need a YubiKey to prevent phishing?

Let’s take a look at why YubiKey is the preferred authentication method for stopping sophisticated phishing attacks. The YubiKey fits a standard USB, USB Type-C, or Apple Lightning port, as well as NFC functionality for use on mobile devices.

Security keys are generally more secure and usable than common alternatives like SMS and Time-Based One-Time Password (TOTP) applications. TOTP codes can be vulnerable to man-in-the-middle attacks, a common type of cybersecurity attack that tricks the user into entering their TOTP code into a fake web page.

YubiKeys use modern, WebAuthn standards to create a unique key pair between the service and the physical device. The key must be origin-bound to the domain for which it is registered, preventing phishing and other sophisticated man-in-the-middle attacks. 

Imagine one of your employees receives an email trying to trick them to log into a fake website. With a YubiKey, any authentication attempt will fail, preventing the phishing attack, because the device will only communicate with the domain it is registered on. The YubiKey only allows the public key to be sent to the correct and intended domain—never a fake URL. It’s also easier to use than TOTP because your employee just has to tap their key instead of entering a 6-digit code.  

How Rippling streamlines YubiKey ordering and management

We partnered with Yubico, creator of YubiKey, to make security management even easier. Rippling now integrates Yubico’s API, enabling customers with Rippling’s App Management package to automate the purchase and shipment of security keys directly from their Rippling dashboard. Customers get direct access to YubiKeys without having to manage a Yubico account or custom integrations. 

As an Identity Management platform, Rippling already has the infrastructure to manage provisioning as well as creating and managing accounts in third-party apps when employees join the company. For instance, admins can set up an integration with Zoom and choose which employees automatically get a Zoom account, plus assign them the right role within their Zoom account—Owner, Admin, or Member—based on their employee profile.

Our integration with YubiEnterprise Delivery is very similar. That’s why ordering a YubiKey is so seamless in Rippling. Admins can create an account using the YubiKey Ordering app, choose which employees automatically get a YubiKey, the type of YubiKey they will get, and manage billing—all from the Rippling dashboard.

With the YubiKey Ordering app, you can: 

  • Bulk-purchase YubiKeys for employees directly through Rippling
  • Set up a policy to automate YubiKey ordering and shipping during employee onboarding
  • Track YubiKey order status for each employee in the Rippling dashboard 
  • Consolidate licenses, billing, and key management through Rippling

FIDO authentication with WebAuthn

Rippling customers get support for WebAuthn, a browser-based API that makes it easy for web services to integrate secondary authentication factors. That includes USB security keys, like YubiKey, and biometric readers, like Touch ID or Face ID. These options limit the authentication information to each device, so credentials are never shared across the internet. After setting up a YubiKey, customers can add their internal authenticators in order to make secondary authentication even faster. 

At Rippling, we love delivering updates that make it easy for our customers to tighten their security—whether you’re a security expert or have zero domain expertise. That’s why we’re excited to launch the YubiKey Ordering app. Rippling automates away the busywork, so that you can focus on the important things.

To celebrate this launch, Rippling customers will receive 10% off on their YubiKey orders!

last edited: April 25, 2023

The Author

Sam Gnesin

Product Lead