Stina Ehrensvard was signing up for online banking in 2005 when her husband Jakob, a white hat hacker, leaned over her shoulder and told her he could write the code to hack and empty her account within hours.
The comment was a wake-up call for her about the insecurity of some basic processes online and also stung her into action.
The Seattle-born, Stockholm-raised CEO of Yubico was soon thinking about how to tackle the challenge. Within three years she had launched the company’s YubiKey – a portmanteau of “your ubiquitous key” – with her husband in the CTO role.
The product plugs into a USB port and functions as a hardware authentication device, offering two-factor authentication and more for a variety of services and operating systems.
(Yubico also co-authored the FIDO2 and U2F standards with Microsoft and Google and is a founding member of the FIDO Alliance – an industry consortium launched in February 2013 to address the lack of interoperability among strong authentication devices).
She told Computer Business Review: “When I first used the internet for this purpose [online banking] I had a spiritual vision where I realised the internet has huge potential for humanity and will be a place where everyone can be connected together in the future without any sort of discrimination.”
Connections need Encryption
Verizon’s Data Breach Investigations Report for 2018 highlights that 93 percent of data breaches involved phishing; with email being the most common social attack vector at 96 percent.
Ehrensvard told Computer Business Review: “Usually password breaches happen when there is some type of software involved, the YubiKey is different and unique as it is a type of hardware that needs to be physically present which attackers cannot access”.
With an original background in product design, the idea of creating new products was second nature to this CEO and gave her the idea for an outwardly simple product that would stop hackers from abusing usernames and passwords, by adding a unique extra layer of authentication that cannot be deceived.
Grass-Green; Military-Grade Gold
The design, naturally, got a little love too.
She told Computer Business Review: “We made it green for three reasons: it represents easy user access, it is like grass – the YubiKey is continuously growing everywhere and it is a friendly colour to show the positive angle of cyber security rather than the negative”.
(The key is made of injection-moulded plastic that encases the circuitry. The exposed elements consist of military-grade hardened gold. The keys are water-resistant and crush-resistant).
In Japanese, the word “yubi” means “finger”, and by touching the YubiKey, a user verifies human presence and that the user is not a remote hacker.
It requires the user to set up a username and password with the online service; it then adds a key as an extra authentication factor. From this point, no one can access these accounts without the key so if an attacker does manage to gain passwords, they cannot log in to accounts without the key.
Immune from USB Ban?
The product, which looks like a simple USB stick, is immune from replay-attacks, man-in-the-middle attacks, and numerous other threat vectors. The Yubikey works with servives including Google, Facebook, Gmail, Dropbox, Salesforce and many more.
(CTO Jakob Ehrensvard has a long security lineage. Stina told us that he is a direct descendant of Augustin Ehrensvard, who 1748 designed an innovative fortress to protect Sweden against Russia, and was later ennobled by the Swedish king for his work.)
As for ubiquitous: Ehrensvard told Computer Business Review that their use is mandatory at Google and increasingly so across many Silicon Valley companies.
Yet as companies increasingly ban the use of USB drives for security reasons, does that pose a threat to her business model?
She emphasises: “As the YubiKey is an authentication device and not a USB memory, and it identifies itself as a standard USB keyboard that is accepted by almost all companies. What security conscious companies want to avoid is plugging in a USB-memory stick that may include malware, which is not possible with the YubiKey.”
New SDK Kit
In April 2018, Yubico announced the new Security Key by Yubico will be supported in Windows 10 devices and Microsoft Azure Active Directory (AD), meaning organisations will soon be able to enable employees and customers to sign into an Azure AD-joined device with no password, as it will be using the Yubico Security Key.
Yubico also announced the availability of new software development (SDK) kit for iOS to allow mobile app developers to quickly integrate YubiKey NEO near-field communication (NFC) two-factor authentication (2FA) into Apple iOS applications, enabling apps to be secured with YubiKey devices.
Last week the privately held company also reported that password manager LastPass had released the latest version of its password management app with fully integrated support for the YubiKey NEO over NFC on iOS.
The most worried customer she’s had so far?
The one whose dog ate his YubiKey, she laughs. (The company recommends registering two YubiKeys for each service where you enable two-factor authentication. “If you lose a YubiKey, log in using your backup key or another backup optio; i.e. Google Authenticator or backup codes”.)