Hi,

Many of our blue collars need to be able to logon on computers that belong to our active directory domain. Since they only logon now and then, their passwords expire, they forgot it or lock themselves causing too many password reset tickets on our helpdesk.

I am thinking of rolling out Yuibkeys using PIV SmartCart logon on W10 machines.Only found one other question about this in this forum.

Since we have like a thousand blue collars, I will first do a POC of course, but in the meantime, are there any other admins that have deployed this already and are happy with it?

Kind regards

19 Spice ups

I’ve started looking into this for our mfg floor employees.

This is what I got so far:

We use Yubikeys here in IT.

We haven’t rolled out to everyone as we need to rebuild our Cert chains soon anyway.

Works great. You will have to make sure you roll out the driver first or stuff will act weird.

1 Spice up

I know lots of folk like these things and that the federal government use them but we only have a couple and none of them are much use. If staff can’t recall passwords etc are they really going to look after these?

I think accountability is key. We issue similar keys for access to our manufacturing equipment. When issued, they are informed that the loss of the device would incur a $50 deduction on their paycheck.

It is amazing how they guard them when there is a penalty (for replacement and administration) attached to it.

1 Spice up

Sufficiently long, memorable pass phrases (follow NIST on this) and a hardware token (Yubikey) as a second factor is a solid access control measure.

2 Spice ups

This i’d be happy with - but it seems to me, the OP is looking to replace passwords with yubikey’s not add 2FA - OP, can you clarify?

2 Spice ups

Super illegal in many jurisdictions.

(Actually deducting it, threatening it may or may not be).

It is considered a “tool”. And the deduction is only charged if the employee loses/misplaces or fails to return the device upon termination. Federal law allows the deduction of the reasonable cost of tools form employee’s paycheck.

1 Spice up

Fair point. I was assuming that OP wanted to get away from expiring passwords.