Since then, security experts pointed over and over again to maybe the best cybersecurity stocking-stuffer of the year: YubiKey, a tiny authentication key that provides phishing-proof defense in an age where phishing continues to be the biggest attack vector against the powerful and ordinary alike.
Launched in 2004 by the Swedish-American security firm Yubico, the product has exploded over the last year with a “huge spike” in orders, Jerrod Chong, the company’s vice president of solutions, told CyberScoop.
“We’ve been traditionally getting individual orders in the hundreds for agencies, divisions, small groups over the past years,” Chong said. “This year we are seeing orders in the tens of thousands. It’s a sizable magnitude.”
YubiKeys are a small keychain-sized device widely lauded (along with competitors) as “the most effective” protection against phishing attacks. Just plug the YubiKey into your computer, touch it, and gain access to your account. The key holds your identity and generates one-time passwords so that no one else can login without that extra authentication.
Devices like YubiKeys are significant steps up from other forms of 2 Factor Authentication (2FA) like text messages and authenticator apps that can be spoofed, phished, and surveilled.
It’s also a device to store encryption keys (how exactly they do that recently generated a bit of controversy) and a handful of other important security functionalities. But it’s the 2FA that got people’s attention first.
As any security expert will shout from the rooftops you should have 2FA of some sort turned on for all your accounts at a bare minimum. YubiKey is the most secure way to do it, followed by an authentication app and then SMS.
In just the past few days, Christopher Soghoian at the American Civil Liberities Union has sung YubiKey’s praises. Zeynep Tufekci from the New York Times told her followers to buy it, use it and gift it. Martin Shelton, a privacy user researcher who works with the Times and OpenNews, endorses YubiKey as well.
2016 has been a perfect storm for Yubico. A growing tide of high-profile data breaches, new legislative mandates, and popular demand is pushing potential customers to pull the trigger on purchases big and small.
On the government side, it’s been a “milestone year.” Numerous civilian federal agencies in the U.S. made large purchases from the company in 2016 — it declined to specify which agencies or how big the purchases were — based largely on the YubiKey’s expanding ability to replace the federal smart card. Governments in Sweden, the United Kingdom, and Germany are big and growing YubiKey customers as well.
Through partnerships with the Electronic Frontier Foundation and the Freedom of the Press Foundation, Yubico is also working to equip highly targeted but often low-tech communities like journalists and LGBT activist groups with security knowledge and tools that might be otherwise out of their reach.
Building the buzz further, there’s been attention-grabbing work with Google and several industry awards. The company also won a $2.27 million grant that Yubico wants to lead to strong authentication for “all citizens of the U.S.,” Chong explained. The pilot program is currently going on with students and residents in Wisconsin and Colorado.
“The goal is that this could be a model for a larger-scale deployment,” he said.
On the regulation front, the company is dedicating resources toward aggressively moving forward. The newest YubiKeys are in the National Institute of Standards and Technology (NIST) validation process for compliance with the Federal Information Processing Standard (FIPS) Publication 140-2. Moves like that are not just immediate big-deal green lights within the kind of enterprise customers that YubiKey thrives on and makes 70 percent of its revenue from — they also make big purchases easier and more streamlined for the future.
(If you’re putting a little cybersecurity in your family and friends’ stockings this December, remember to add some chocolate after that.)