Earlier this year Stina Ehrensvard was cited as a ‘Female Shooting Star’ in Sweden, reaching the national finals for Ernst & Young’s Entrepreneur of the Year.
Yubico was born in 2007, as a result of Stina’s passion for the Internet and mission to make secure login easy and available for everyone. The ID Bulletin had the pleasure of interviewing Stina about her journey, the company and the vision of a passwordless future.
Yubico is based in Sweden. What makes the country and its people so progressive in its adoption of new technology?
Yubico is headquartered in Stockholm, with majority of our team and customers in Silicon Valley. Both these places are very strong on technology innovation.
Sweden is a small country that is dependent on the rest of the world for trade, fostering a humble, yet curious and open minded mentality. Sweden has for decades offered good, free education for everyone, resulting in many well educated engineers. High salaries for simple jobs has encouraged high automation, which requires modern technology. It is a good country to start a business, and the social welfare system encourages people to do so without taking too much personal financial risk. Sweden is also a country where citizens are not punished for questioning authorities, from early childhood and up; fostering innovation and healthy teamwork.
How realistic is a passwordless future and how long do you think it will take to get there?
After announcing the new FIDO2 standard, we received an overwhelmingly positive response to secure and passwordless logins, and we’re positioned to see its rapid growth with support from the FIDO Alliance, World Wide Web Consortium (W3C), and several of the largest internet providers.
Chrome, Firefox, and Dropbox all recently announced WebAuthn support, which is the web API component of FIDO2. Microsoft Edge is also actively working to add WebAuthn support. With a flurry of FIDO2 and WebAuthn integrations so early on, we expect many other services will be eager to catch up in the coming months. A significant benefit of an open authentication standard such as FIDO2 is that the number of implementations and use cases are limitless.
Where is the drive to replace passwords coming from?
Passwords have been an age-old pain point for both individuals and organisations due to their insufficient security, management and cost challenges, and lack of agility. Organisations spend countless hours resetting passwords, which in turn, results in astronomical costs. On the management side, IT departments frequently provision credentials for new users which are then stored on a server that may or may not be secure. If that server is compromised, those passwords now become compromised as well.
To help solve this pain point, we created the FIDO U2F standard with Google, combining a password with a security key, such as a YubiKey. Once proven to offer the strongest defence for account takeovers at scale, Facebook, Dropbox and many others made support. Over the last year, we have worked closely with Microsoft and the open standards community to also enable a security key to work with a PIN or biometrics on the user devices. This resulted in the passwordless FIDO2 standard: enabling the replacement of weak password-based authentication with strong hardware-based authentication using public key (asymmetric) cryptography. These credentials cannot be reused, replayed, or shared across services, and are not subject to phishing and MiTM attacks.
Do you remember your Eureka moment for the idea of the Yubikey?
I started the company because I’m passionate about the Internet. I think it’s one of the most brilliant inventions of all time. In fact, the first time I logged on to the Internet I actually had somewhat of a spiritual experience and realised that it was a place of deep human connection.
I also learned that the Internet wasn’t secure when my husband told me he could hack into my online Swedish bank account in 24 hours. I quickly realised the potential of the Internet, but recognised security – or the lack of it – was standing in the way of its continued progress. It was in that moment we had discovered our mission: to develop one simple and affordable key to secure all of your online accounts. Ten years later, our customers can now use the YubiKey to log-in to Gov.uk to pay taxes, and then log-in to Facebook, Gmail, or their password manager using the same key. The best part is, there’s no information shared between these services.
Why is the Yubikey proving so popular when other hard-tokens are being replaced by soft-tokens?
The YubiKey has a few differentiating qualities that set it apart from other hard-tokens.
First, the YubiKey is built with ease of use in mind. What good is security if no one will want to use it? It has been proven that the YubiKey is four times faster than typing a One Time Passcode (OTP) and it does not require a battery or mobile connectivity, so it is always accessible. Additionally, the YubiKey supports multiple authentication protocols enabling one single hardware key to quickly integrate with an unlimited number of systems, services and applications, right out of the box and without a centralised service. YubiKeys also provide superior protection against more advanced phishing and MiTM attacks — attacks that soft tokens cannot protect against.
It’s the combined security, agility and ease-of-use that make YubiKeys a preferred authentication method for the world’s top companies including Google, Facebook, DropBox, Salesforce and more.
With authentication conquered. What is the next challenge for you and Yubico?
I wouldn’t say that authentication is conquered, but rather it’s constantly evolving and becoming stronger and more usable. As a leading contributor to the FIDO U2F and FIDO2 standards, we have an important responsibility to educate and lead the rest of the ecosystem to adopt these open standards. Not just for authentication, but eventually for payments, IOT and other use cases.
Also, last fall we launched our new YubiHSM, that is seeing good adoption by leading technology and financial services, for securing encryption secrets on servers.
Our name Yubico originates from the word ubiquitous, and our mission is to make the Internet safer for everyone.