Protecting yourself or your business from phishing attacks and other cyber threats has become increasingly difficult. While some turned to two-factor authentication (2FA) for protection, others chose to use physical security keys to do so, and with much more success. To learn more about security keys and how they can help organizations and individuals protect their accounts, TechRadar Pro spoke with Yubico's product manager, Guido Appenzeller.
Can you tell us a little about the origins of your business and what led to the creation of the first YubiKey?
In 2007, Stina and Jakob Ehrensvärd co-founded Yubico with the mission of making the Internet a safer place for everyone. In 2008, the first YubiKey was launched, a unique device, inspired by the word "ubiquity", that would make secure connection easy and accessible to everyone. In 2011, Stina, Jakob, and their three children moved to Silicon Valley, to partner with Internet thought leaders, further develop the YubiKey, and expand new open authentication standards globally. Now, Yubico's technology is implemented and appreciated by 9 of the 10 largest Internet brands and millions of users in 160 countries. The company is also a leading contributor to the FIDO Universal 2nd Factor (U2F), FIDO2, and WebAuthn open standards.
![]()
(Image credit: wk1003mike / Shutterstock)
Where is two-factor authentication lacking when it comes to stopping phishing and man-in-the-middle attacks?
Any form of two-factor authentication (2FA) is more secure than zero, but it's important to note that not all 2FAs are created equal. Two of the most popular 2FA methods are SMS (text messaging) codes or mobile authenticator apps, which rely on redialing or pasting a one-time code from one device or app to another. Not only can it be burdensome for users, but it is also prone to errors. These methods also rely on mobile access, which is problematic in environments where mobile devices do not work or are prohibited. Perhaps most worryingly, 2FA's one-time password methods remain vulnerable to phishing and man-in-the-middle (MITM) attacks. And more recently, we've seen malware attacks that steal both a smartphone's password manager password and unique code. Against such an attack, a phone is essentially a single factor authentication device. FIDO-based security keys provide a higher level of security while providing a seamless user experience. FIDO U2F and FIDO2 standards and compatible security keys exploit public key cryptography to protect against phishing and man-in-the-middle attacks. Even if a user is required to hand over their personal information, such as in the case of a phishing attack, a FIDO security key cannot be fooled. User credentials are bound to the origin, which means that only the actual site can authenticate with a key. Security keys are also designed to work with a single touch, making connection up to four times faster than one-time passcodes.
Google managed to introduce security keys into its own offices to stop phishing in 2017. Do you know of other companies that have had similar success after forcing their employees to use security keys?
Google's compelling statistics on its internal use of YubiKeys have been an ongoing catalyst for many other large companies looking to eliminate account takeovers and reduce support costs. In fact, Google has also published additional research showing that hardware security keys are the only viable authentication solution that can prevent phishing attacks 100% of the time. Although no other company has published comparable statistics on Google, Yubico has had great success with YubiKey implementations in over 4,000 companies spanning a range of sectors from technology, finance, healthcare, manufacturing, education. and government. Major clients include Facebook, Virginia Tech, Dropbox, Salesforce, GitHub, Gov.UK, and more.
![Lightning YubiKey]()
(Image credit: Yubico)
Your company has introduced the first multi-operating system security key with the YubiKey 5Ci. How have customers reacted to the possibility of using a single security key to protect all their devices?
The response to date has been positive. Usability is a key consideration for Yubico, and it is important that our customers have the best possible experience with our products. With people spending more and more time on a multitude of mobile devices, the YubiKey 5Ci was the natural next step on our product roadmap. At the time of release, Apple did not yet support open NFC technology on iPhones, making it difficult for iOS users to seamlessly move between devices with a YubiKey. The YubiKey 5Ci was the first product to solve this problem, and it has received high praise from the press and customers. With Apple's open NFC and recent support for WebAuthn in iOS and iPadOS Safari, we're excited about the next version of the YubiKey 5C NFC. In addition to the YubiKey 5 NFC, which supports USB-A and NFC, the YubiKey 5C NFC will be the next YubiKey form factor that will work seamlessly on all devices with Near Field Communication (NFC) and USB-C connections.
![]()
(Image credit: Google)
Google now allows smartphones to be used as security keys. What are the advantages of using a physical security key instead of relying on a smartphone for authentication?
There are big advantages to using a physical security key instead of relying on a smartphone for 2FA. As users move between different platforms and different computing devices, having what we call a "portable root of trust" is essential. For example, an external security key that is not tied to a general purpose computing device reduces the attack vector, is easily moved between devices or can be used to log into accounts on a new device, works in Mobile Access Environments, such as call centers or hospitals, and provides a high and reliable level of security guarantee for sensitive operations such as the transfer of large amounts of money to a banking application. For businesses, a second advantage is that with a YubiKey, there is a common authentication solution that works identically and has the same security properties for all employees. If employees use their own phones, there are a variety of vendors, operating systems, and operating system versions that may or may not be patched with all security fixes. Last year, we found more than 100 vulnerabilities for iOS and Android. It is very difficult to achieve a high level of security in such an environment. This is the future that Yubico envisioned when we helped create the new open standards FIDO2 and WebAuthn. We wanted there to be a growing list of strong authentication options for users, and for some of these authentication options to be built right into the devices. Improving options and accessibility is important to promote broad support for FIDO2 and WebAuthn. However, security keys will continue to play an important role in this growing authentication landscape.
![YubiKey Organic]()
(Image credit: Yubico)
Is there anything you can tell us about your plans to launch YubiKeys with fingerprint recognition?
At the moment, we don't have many details to share about Bio YubiKey, and we don't have a release date yet. What we can share is that it will take advantage of the full range of Multi-Factor Authentication (MFA) capabilities outlined in the FIDO2 and WebAuthn standard specifications with support for biometric and PIN-based login.
What future for Yubico and can you share details about upcoming products or updates?
In addition to the upcoming launches of our Yubikey Bio and YubiKey 5C NFC products, Yubico will invest massively in expanding our new service-based offering: YubiEnterprise Services. YubiEnterprise Services currently consists of YubiEnterprise Subscription, and soon YubiEnterprise Delivery, to improve the process of provisioning, delivering, and managing YubiKeys. The goal of YubiEnterprise's services is for Yubico to become a more valuable business partner. The idea is that we remove a lot of the resource-related logistical complexities or roadblocks, allowing our clients to focus on growing their core business. We also anticipate exciting developments with FIDO2 and WebAuthn. Not only will we see continued growth and adoption of major services and applications, but we'll also start to see these standards used for things like electronic payments, electronic identification and transactions, connected devices, etc.