Protecting yourself or your business from phishing attacks and other cyber threats has become increasingly difficult. While some have turned to two-factor authentication (2FA) as a means of protection, others have instead opted to use physical security keys to do so and with much greater success.
To learn more about security keys and how they can help organizations and individuals alike keep their accounts secure, TechRadar Pro spoke with Yubico’s chief product officer, Guido Appenzeller.
Can you tell us a bit about the origins of your company and what led to the creation of the first YubiKey?
In 2007, Stina and Jakob Ehrensvärd co-founded Yubico with the mission to make the internet a safer place for everyone. In 2008, the first YubiKey was launched — a single device, inspired by the word ‘ubiquity’, that would make secure login easy and accessible for all. In 2011, Stina, Jakob and their three children moved to Silicon Valley, to partner with the internet’s thought leaders, further develop the YubiKey, and scale new open authentication standards globally.
Now, Yubico’s technology is deployed and loved by 9 of the top 10 internet brands and by millions of users in 160 countries. The company is also a leading contributor to the FIDO Universal 2nd Factor (U2F), FIDO2, and WebAuthn open standards.
Where does two-factor authentication fall short when it comes to stopping phishing and man-in-the-middle attacks?
Any form of two-factor authentication (2FA) is more secure than none at all, but it’s important to note that not all 2FA is created equal.
Two of the more popular 2FA methods are SMS codes (text messages) or mobile authenticator apps, which both rely on re-typing or pasting a one-time code from one device or application to another. Not only can this be cumbersome for users, but it is also prone to error. These methods are also reliant on mobile access, posing a problem in environments where mobile devices do not work or are prohibited. What is perhaps most concerning is that one-time password 2FA methods are still vulnerable to modern phishing and man-in-the-middle (MITM) attacks. And most recently, we have seen malware-based attacks that steal both the password from a smart phone’s password manager and the one-time code. Against such an attack, a phone is essentially a single-factor authentication device.
FIDO-based security keys provide a higher level of security while also delivering a seamless user experience. The FIDO U2F and FIDO2 standards, and compatible security keys, leverage public key cryptography to protect against phishing and man-in-the-middle attacks. Even if a user is tricked into giving up their personal information, as in the case of a phishing attack, a FIDO security key can’t be fooled. User credentials are bound to the origin, meaning that only the real site can authenticate with a key. Security keys are also designed to work with just one touch, making login up to four times faster than one-time passcodes.
Google successfully introduced security keys at its own offices to stop phishing back in 2017. Are you aware of any other companies that had similar success stories after requiring their employees to use security keys?
Google’s compelling statistics around their internal use of YubiKeys has been a continued catalyst for many other large enterprises looking to eliminate account takeovers and reduce support costs. In fact, Google also released additional research that shows hardware security keys are the only viable authentication solution that can prevent phishing attacks 100% of the time.
While there haven’t been any other companies to release comparable statistics to Google, Yubico has seen great success with YubiKey deployments in more than 4,000 enterprises covering a range of technology, financial, healthcare, manufacturing, education, and government sectors. Top customers include Facebook, Virginia Tech, Dropbox, Salesforce, GitHub, Gov.UK and more.
Your company introduced the first multi-OS security key with the YubiKey 5Ci. How have customers responded to being able to use one security key to secure all of their devices?
So far, the response has been positive. Usability is a key consideration for Yubico, and it’s important that our customers have the best possible experience with our products. With individuals increasingly spending their time across a multitude of mobile devices, the YubiKey 5Ci was a natural next step in our product roadmap.
At the time of launch, Apple did not yet support open NFC on iPhones, making it difficult for iOS users to move seamlessly across devices with a YubiKey. The YubiKey 5Ci was the first product to solve for this, and it won a lot of praise from both press and customers.
With Apple’s open NFC and recent WebAuthn support in iOS and iPadOS Safari, we are excited for the upcoming release of the YubiKey 5C NFC. As a complement to the YubiKey 5 NFC — which has USB-A and NFC support — the YubiKey 5C NFC will be the next YubiKey form factor to work seamlessly across devices with both near field communication (NFC) and USB-C connections.
Google is now allowing smartphones to serve as security keys. What are the benefits of using a physical security key instead of relying on a smartphone for authentication?
There are major benefits to using a physical security key rather than relying on a smartphone for 2FA. As users move between different platforms and computing devices, having what we call a “portable root of trust” is essential. For example, an external security key that is not tied to a multi-purpose computing device lowers the attack vector, easily moves between devices or be can be used to log into accounts on a new device, works in mobile-restricted environments like call centers or hospitals, and offers a trusted, high level of security assurance for sensitive operations like transferring large sums of money on a banking app.
For enterprises, a second advantage is that with a YubiKey there is a common authentication solution that works identically, and has the same security properties for all employees. If employees use their own phones, there are a variety of vendors, operating systems and operating system versions that may or may not be patched with all security fixes. Last year, we saw more than 100 vulnerabilities for both iOS and Android. It is very hard to achieve a high degree of security in such an environment.
This is the future Yubico envisioned when we helped to create the new FIDO2 and WebAuthn open standards. We intended for there to be a growing list of strong authentication choices for users, and for some of these authentication options to be built directly into devices. Improved choice and accessibility is important to drive widespread support for FIDO2 and WebAuthn. However, security keys will always serve an important role in this growing authentication landscape.
Is there anything you can tell us about your plans to release YubiKeys with fingerprint recognition?
At this time we don’t have many details to share about the YubiKey Bio, and we do not yet have a launch date. What we can share is that it will leverage the full range of multi-factor authentication (MFA) capabilities outlined in the FIDO2 and WebAuthn standard specifications with support for both biometric- and PIN-based login.
What does the future hold for Yubico and can you share any details on upcoming products or updates?
In addition to our upcoming product launches of the Yubikey Bio and YubiKey 5C NFC, Yubico will be heavily investing in the expansion of our new service-based offering: YubiEnterprise Services. YubiEnterprise Services is currently comprised of YubiEnterprise Subscription, and soon YubiEnterprise Delivery, to improve the process of procuring, delivering, and managing YubiKeys. The goal with YubiEnterprise Services is for Yubico to become a more valuable enterprise partner. The idea is that we will take a lot of the logistical complexities or resource roadblocks out of the equation, allowing our customers to focus on growing their core business.
We also anticipate some exciting advancements with FIDO2 and WebAuthn. Not only will we see continued growth and adoption from major services and applications, but we’ll also start to see these standards being used for things like e-payments, electronic identification and transactions, connected devices, and more.