Q&A: Yubico brings FIDO authentication protocol to the masses
Yubico founder and CEO Stina Ehrensvard spoke with SearchSecurity at RSAC 2017 about FIDO authentication and how Google uses it to secure logins and cut costs.
SAN FRANCISCO -- If the FIDO authentication protocol eventually provides a solution to the "password problem," users -- individuals, companies and developers -- will need devices and software capable of supporting the new protocols for strong authentication.
Stina Ehrensvard, CEO and founder of Yubico, the maker of the YubiKey hardware authentication device -- one of the most visible products capable of supporting the FIDO authentication protocol -- sat down with SearchSecurity for a quick session at RSAC 2017.
Not only has Yubico been able to help companies like Google save money and protect themselves and their employees by deploying YubiKey, but the company has also literally saved lives of journalists and others operating under nondemocratic regimes.
Editor's Note: This interview was lightly edited for clarity.
How did your vision for strong but simple authentication come about?
Stina Ehrensvard: I started the company with the vision of having one single key to any number of services, and making secure login easy and available for everyone. That was the vision. The first concept we came up with was YubiKey, which was a one-time password device and you touch it and it generated codes directly through the keyboard; you didn't have to download anything, you didn't have to retype anything, it was really simple.
With that, we added open source server components so anyone can integrate it. And a company [that] was interested in it was Google, and a few others here in Silicon Valley. And when they started buying my product, I wrote my first business plan.
I said, "let's move to Silicon Valley and work with the thought leaders to figure out how our technology can scale to end users, and we figured out what kind of threats they are seeing so we eventually can build in this technology directly into browsers, into computers, into devices. It just works out of the box. And that's what we did.
The birth of the FIDO authentication protocol
We created FIDO Universal 2nd Factor (U2F), the new global authentication standards, together with Google. The standard, once created was deployed for all Google's staff and then brought into FIDO Alliance, and it's now a protocol within the FIDO alliance that is merging with other efforts there to become the new global authentication standard, taking public key crypto, taking smart key technology that is already proven with chip and pin cards, smartcards. But they are so complicated to use, with drivers and client software and readers. Also, there's a very important innovation that we brought that -- actually Yubico's CTO who is my husband, by the way -- it's the invention that… FIDO U2F generates a new key pair of secrets for every service it connects to. So, I can log into Gmail and then I can set this up for Dropbox, eventually for my IRS account, for my bank account, for everything.
And there [are] no shared secrets between the services. This way there is not one central service provider, there's not one corporation, there's not one government [that] sits and owns and controls all the services.
We're taking this back to users. You said you use this for your Gmail account, and I don't know that you set it up for your Gmail -- I'm not following you. We don't even know. It doesn't necessarily tie to identity, just to authentication.
FIDO authentication protocol saves lives
Just to the chip.
Ehrensvard: Yes, just the chip. We're working on systems now to tie this to your real identity, but that's optional. And I'm very proud, we're actually saving lives today. We work together with Freedom of the Press [Foundation], [that is] educating journalists and dissidents around the world [about] how to protect themselves from nondemocratic governments, and YubiKey and the FIDO authentication protocol is one of the protocols and technologies that they recommend to stay secure and private. And I got an email from a journalist in Russia who said "thank you for saving my life." That was very touching. He had set up his account with a Gmail account, and then some of his co-workers had not secured their Gmail with YubiKey, and they were hacked, and they are no longer alive.
Wow.
Ehrensvard: Yes. So our mission is bigger than our company. The vision is: help to drive a global standard. In addition to the FIDO U2F protocols we have the one-time password feature, which works great for VPN. We've added the smartcard features which work great for logging into computers and systems that have native support for smartcards, and then we will continue to develop new features on the YubiKey, including encryption, including things that can work for payments. The key is having one single key to a lot of things and it works both for businesses, for consumers and for developers who want to integrate into their existing software and services.
How does YubiKey differ from one-time password cards like SecurID?
Ehrensvard: The SecurID token has a little display and it generates a six-digit code that you only have a short timeframe to retype; it's not very end-user friendly. Also, that token can only be used for one service, one centralized service. And…the keys to that service [can be] compromised -- and you may know that RSA Security was compromised five or six years ago, but 15 million devices were compromised because it had one central storage. Also, the user experience isn't great, it has batteries, you have to retype. So the difference is the user experience [for YubiKey] is just simple touch, combined with a PIN or a password and you touch. And the way the codes were built into the intelligence, into the browser, you only have to set it up once for a service. When you log into your Gmail or your Facebook, it's only once, you don't have to do it every time. The other thing is that SecurID does not protect against phishing and man-in-the-middle attacks. Just on a bare basic level, but the phishing attacks are becoming more and more sophisticated and once you have that timeframe of half a minute, the bad guys can actually get in and get things done, even in a half minute.
That general one-time password technology is no longer recommended from the high security applications. It's good enough -- it's much better than username and password -- but it's not the perfect one. The smart card has been around for thirty years or more; they have good security, but they're so complicated, with drivers and readers and client software and middleware, and the [certificate authority] and again, they also need to run as a centralized service, and this is not scalable.
So we said, just make it simple, make it affordable, make it available for everyone, make users choose what devices they want to buy, we created the standard, we put out the code, we put out free open source servers, and since Google deployed this for all their staff, they've cut down on fraud to almost zero, for 70,000 staff. They cut support calls to half compared to the phone authenticator. Because if you have a phone authenticator, you only have one authenticator, you lose it -- it's gone. It's the same if you only have one device, what is your backup? With this one, they actually give everyone at Google two or three keys, so they have a backup. And then the third thing is they were able to just save time because this is faster to log in. You can just touch it, or you can set it up to be there for a long time, compared to having to retype codes.
It's faster, more secure and less costly. ... They realized that this was less costly than their free mobile authentication app that they own, and that they don't charge for -- because of support costs.
Are enterprises taking up YubiKey?
Ehrensvard: Big companies buy all these protocols. YubiKeys, [one-time passwords], U2F and the PIN depending on if they're going to log into Twitter, they're going to log into web services or VPNs, it's sort of a mix. We also have developed a product called the YubiHSM, which is more for securing secrets on servers, and this product we're making a more advanced version of that one and going to launch in a couple of months and it's for securing the root ... where you store passwords, or credit card numbers on the server itself. The YubiKey is for users, for secure access to their accounts, but this is for securing the servers themselves.