We’ve never been good at authentication, and the problem is about to get much bigger.
Most authenticating currently is human-to-system, but increasingly it’s system-to-system, device-to-device, smart-car-to-street-signs, and so on. There has been progress on this expanding problem set, however, and it’s as simple as the keychain in your pocket. Hardware security keys are one of the most effective defenses anyone can have in this era of catastrophic and cacophonous account takeovers. Thanks to small USB security keys issued to all 85,000 of the company’s employees, for example, Google’s workforce hasn’t suffered a single confirmed account takeover in over a year. That little statistic made headlines on the tech blogs for good reason.
The company at the head of that movement is Yubico. The founder and CEO, Stina Ehrensvard, spends her days pitching her keys and the technology within as a long-term solution to many of the security problems plaguing every corner of cyberspace, from elections to the electric grid. Now that Google is making its own key, the market is likely to get a whole lot bigger — and the business may get a lot more competitive, too.
CyberScoop: Fourteen months after the company took on a $30 million investment, can you talk about Yubico’s growth in the past year?
Stina Ehrensvard: There are 150 people in the company. We’ve been profitable for six years. We have teams in eight countries but the core teams are in Stockholm, Palo Alto and Seattle. The big thing that’s changed in the last year is that we won 19 of the 20 biggest internet companies on the planet. Google, Facebook, Salesforce, Dropbox, Microsoft. What I’m most excited about is that we’re now getting to more traditional enterprises in retail, financial services, cryptocurrency, areas outside of the Silicon Valley giants.
CS: Are Yubikeys being used inside government?
SE: Governments move slower, but I’m seeing momentum. It’s starting to have a snowball effect. We have Yubikeys securing elections across the world, something we’ll talk about in more detail soon. 2018 is our year. A lot of the things we’ve been saying for many years are becoming more clear, that there isn’t a silver bullet for authentication and there is a very clear need for a hardware root of trust.
CS: Where is the $30 million going?
SE: We are getting into the Internet of Things. We are getting into payments on browsers, next generation payments, servers, smart driving. It’s the foundation for next generation secure internet, it’ll have the same strong impact that SSL had in the past. It’s been a team effort with these internet giants to make it happen. It’s not an everyday product. Microsoft is supporting Yubikey in Microsoft Edge and other services this fall and there will be more to follow.
We want to influence internet services that don’t support it. We had a guy reach out, a wealthy entrepreneur who talked to his wealth management service and said how come I can secure my Facebook and Google account with good security using Yubikey but the security isn’t as a good for the place with all my money. That bank wanted to have a dialogue with us and we wanted to support them. There is no cost except a couple of days of integration work so you can have it in addition to whatever you have today.
Driving goals and standards is the most difficult thing. I’m happy I didn’t know it would take seven years to get there, there are still one or two years until full snowball effect. If I knew, I would probably have said I don’t have time for this. It’s too long. I’m happy I wasn’t warned.