February 25, 2016
Ep. #4, Building on Quality at Heroku
In this episode, Fred is joined by James Lindenbaum, Founder of Heroku and Heavybit. Fred and James discuss the absolute importance of desig...
In episode 22 of The Secure Developer, Guy meets with Stina Ehrensvärd, founder and CEO of Yubico, to explore how hardware solutions like YubiKey can be an effective approach to authentication and security.
About the Guests
Stina Ehrensvärd is Founder and CEO of Yubico, a company that specializes in two-factor authentication for business and makes the YubiKey, a hardware authentication device manufactured that supports one-time passwords, public-key encryption and authentication.
Guy Podjarny: Hello, everybody. Welcome back to The Secure Developer. Today we have with us Stina Ehrensvärd from Yubico. Welcome, Stina.
Stina Ehrensvärd: Thank you so much for inviting me here.
Guy: Thanks for coming to the show. I know you from the Yubico world, the YubiKey world. Can you just introduce yourself a little bit? What you do, maybe how you got into it, and tell us a bit about indeed Yubico and what you do.
Stina: OK. I have a background in product design and when I went to college a guy, an electronic computer engineer approached me and gave me a working prototype of one of my designs, and I knew that was my man. I married him.
Guy: Love at first prototype.
Stina: He was 15 when he built his first computer, and at the time he was 25 and had just designed the security system for the largest nuclear plant in Sweden, including my design that I did at college. Other guys had given me flowers and dinners, and Jacob gave me a prototype. That's much more useful.
Anyway, since then we've been working in this cross-world between industrial product design and innovation with a focus on security strategists’ consultants, and we came up with ideas. The YubiKey and the Yubico mission came to us eleven years ago, and it was an odd story.
I was logging in to my online bank and Jacob said that it would take him one and a half days to write the code that would hack my bank account. So, to check with the bank what they were going to do about this problem, I called the customer service and I got the response, "Can you please tell your friend to not do that?" It triggered me and Jacob to figure out, "What could Jacob not hack, and what was the thing that we needed to crack?"
The only thing that Jacob couldn't hack at the time was smartcards. Like public key crypto strong authentication, proven technology that's been around for 30 years. It's the same technology you see in GSM cards and PIN and chip cards. But they were not designed for the Web. They were not designed for mobile or for users.
So we came up with a concept of using strong public key crypto and hardware, but simplifying so you didn't need any client software or reader. It identifies itself as a keyboard. That was the first invention, and then you touch it so you show that you're a real human.
We made it in the form factor of a USB key instead of a card because then you carried the reader with you. You don't have to have an external reader. It was a long, really difficult journey to convince the world at the time, because at the time everyone said "The phone, biometrics and user behavior that is completely the future."
SMS had just launched, and there I was with my little USB key and no one cared. Literally, I was like, "OK." People even said, "Sorry, you're dead. This is the '90s. Why are you coming with a USB key?"
Guy: That's nice sometimes to prove people wrong, in that sense.
People still question why we need hardware.
But anyway, I just said, "OK. Is there a more easy and secure way for user credentials?" What we came up with needed a global standard to make the mission complete.
The mission of Yubico and the YubiKey came from the same word that we picked for our name, the word ubiquitous, which means everywhere. A key that would enable you to log in and access everything. Your computer, your networks, your online services. Just like you can go with your credit card and buy in all stores, and with your driver's license and driving old cars.
Guy: Was it meant to be a replacement, or an augmentation? Was it meant to be like the 2-factor auth, or to be everything-in-one, "This is the way you authenticate to the web?"
Stina: It was definitely augmentation. Our biggest competitor is not everything 2-factor, it's still the username/password used by 90% of services and everyone else out there. The smart cards, the one-time password tokens, the push apps and the SMS has helped educate the market.
But the hardware devices have been too complicated, and the software solutions, like SMS and push apps and anything that you download on a computer or phone, is not secure enough. They've all had an important role in getting there, to go from some other 2-factor authentication method to the YubiKey is much easier than convincing people they need to go from using--
Guy: That they need it in the first place. You get the advantages of indeed hardware design that we don't appreciate much, although we use it in everyday life of being what you want. It's just there, it's just on, it's plugged into your laptop. You just touch it and it goes.
Stina: Yeah. We came up with this simple user experience first, and then we realized, "OK. In order for this technology to scale everywhere the glue is missing. How do you attach this to a service and then you can log into any number of services?" Google had started buying our product. They started to buy our one-time password product.
Guy: For internal purposes, just for internal use?
Stina: Internal purposes, for their own internal staff. We were aware that was not the ultimate product that we could invent, and it didn't have NFC for mobile. So I wrote my first business plan. I'm not from the business world at all, so I'm not even sure how you write those plans.
I wrote one page, or it was even half a page. I said, “We're going to move from Stockholm to Silicon Valley and we're going to scale our technology through working closely with the tech giants through the platforms and the browsers so it gets integrated directly into the technology that's used by billions of people. And in that way, we don't have to have hundreds of salespeople and hundreds of marketing people, we just have to work with 10 companies, or even less."
Guy: To an extent you took the advantage of the hardware design, which is you can design it to fit the literal physical need. I love that and that notion.
I'm often an advocate around making security easy. Making it hopefully the default, and if not default at least a very easy action.
Now that you're in hardware mode you have to also ensure that the software components on it are sufficiently universal, sufficiently enforcing because you're not going to carry around 10 of these YubiKeys and plug in the right one at any given time.
Stina: Actually, a few years ago someone told me they could identify people working in the financial sector on Wall Street on the size of their pockets because they were carrying all these tokens. That we wanted to avoid. Now a lot of people have some kind of phone app instead, but they have been increasingly vulnerable, and Google had said seen that.
They were seeing phishing attacks and they started using our one-time password device, and we approached them with this idea of adding public key crypto and NFC, and this protocol of enabling one single security key to access any number of services with no shade secrets. It took some time for us to convince them, but finally we did and the initial use case for Google was just their internal users. That's where they had a budget and that's where their initial needs were.
Guy: Keep themselves secure.
Stina: The results were so great. The results was amazing. Together with Google we contributed the code to an organization named FIDO Alliance that had started just a few months earlier.
Guy: What does that, FIDO, stand for?
Stina: It stands for Fast IDentity Online, and it started with a similar but a slightly different authentication protocol and was more focused on the same mission. "OK, how do you make it easy and seamless for everyone?" The initial focus was biometrics and phones, while our focus was hardware security keys. It's been a challenge, and a fun and amazing journey working with these standards bodies and all these organizations moving things forward.
Guy: That sounds like quite a feat. You're there, you're this tiny startup. You're coming along and you're driving a mindset, or maybe a slice of the world of security trying to drive more secure authentication and identification. You work with Google, that's a good moment in the sense that as a customer they are a pretty good customer to have, and now you're trying to work with these standards bodies.
How was that like, and maybe if I can even ask, what was the primary driver? What was the mission inside the organization saying, "We'll go through what I believe or what must I suspect was somewhat painful at times, which is mobilizing a standards body at the pace of a startup?"
Stina: To convince and gather and get all the leading tech giants into the same room, agreeing on something, was--
Guy: That sounds easy. That sounds very easy.
Stina: I don't want to go into detail because they're all my friends and customers, but we had some cool stories where they didn't really trust each other. So they used Yubico to walk between and be the middleman.
I sometimes see ourselves as a small Switzerland in this giant tech world, we were this little company that had great ideas but we were not a threat to anyone. That was also the key to our success. We could walk between and solve problems, we were very hands on. We built code. We wrote 90% of the U2F code, we put it out there, we built test tools and servers and we educated the world.
After Google made support we convinced GitHub and Dropbox and Facebook, and we just keep pushing. While the world was screaming, saying, "That's not the future. Security keys are not the future. Something else."
We just were focused and said, "Yes. Whatever 'else' is, we will need hardware too." Yes, biometrics, yes, user behavior or geo-location or all the other things that you may want to add to track and monitor users that will add another layer of security.
If you don't have a solid door to your house someone is just going to walk in there, even if you have good cameras watching.
"Someone is walking into your house," but they've already walked in. I would say what we're trying to do is put out that door. A username and password is like putting up a latch, you can just kick it in. When I'm trying to describe this for my kids, I've got three kids, "We are building a very secure door."
Guy: Yeah, that keeps people absolutely out of there.
Stina: "And you need a special key to get in there, and if you don't have the key and the door is--" It's just going to be really difficult, but of course it's not impossible.
Guy: What you're trying to get, or what you did get in all these companies to sign in is to subscribe to FIDO or to this standard. The end result of which that you can now authenticate with any authentication device that supports and that acts as the client. Is that correct?
Stina: We were the first to develop the authentication device, now there are others. We put out the code and worked with Google, and now also Microsoft have made a fantastic contribution. Because our initial protocol is just focused on combining the key with a username/password.
The vision was to say it doesn't have to be a password, it can be biometrics, or nothing. The key was something that you are. Microsoft have the FIDO U2F protocol has evolved to something called FIDO2, which parts of it is in W3C and under the name WebAuthn.
But to respond to your question, there are authentication devices and there are free open source servers that any company can integrate. Yubico provides these servers, it takes a couple of days to make support for it for free.
Then there are the browsers and the platforms that make support, but those are not so many. They're a handful. So when the platform and the browser guys support you, it's so much easier for both the device providers and the servers to make support in the back-end. We have fantastic results since Google deployed this for all their staff and contractors, they had zero account takeovers. Literally not one single successful--
Guy: That's a good number.
Stina: Successful attack. They were able to reduce support with 92%, and I was like, "Where did that fantastic number--?" Because I didn't expect that. They said, "We figured out that independently if you only have one key or one phone, or one card to log into.
One method, users will lose it, but if you give everyone two or three. Like, we actually design one that sits in the computer, one you put on a key chain, one you can put in a wallet. Then the number changed, because then you have a backup.
If you make the backup weak that's where the bad guys will come in.
Guy: That's the, "Forget your password hack," or whatever it is. The secret questions, right? You have this uber-sophisticated password and then your secret question is your date of birth, which you can then. It's not that many options when you can guess the person involved. So, I love the impact of it.
The world of security tends to be very self-interested, or just much more opaque in the many aspects and not necessarily as collaborative. Not for bad reasons, just that security is scary. We're not that far from the time in which people thought that even the best crypto algorithms were the ones that nobody knew about, and today we're in a different era and crypto algorithms are opensource and they're better for it.
They're vetted, and the likes. But as a business, many companies would have said, "I have this YubiKey and I'm trying to support it. I will do the grunt work of authenticating with the gazillion different protocols out there," and it would give me a competitive edge.
Was there a core principle? Or, how did you keep the perseverance to it? To an extent you're giving up some core concept and core advantage that you have in this YubiKey to help improve the general ecosystem security by driving it.
Stina: That was a decision we made. It was a very similar decision that Volvo made when they invented the seat belt, which was solving a problem 60 years ago. Cars were not designed for security, the internet was not designed for security.
There was an inventor at Volvo who said that he had made some research and come to the conclusion that users do not want to be uncomfortable even for a minute. So whatever the seatbelt would be it had to work within a second with one hand, and that was the objective for the three point seatbelt he invented.
Then he went in to the Volvo board and said, "We should not keep this great invention by ourselves, we should give it to the world. Every single car on the planet should have this because it will save millions of lives." He is an inspiration to me. He just said the right thing.
You have to take that bet and trust that you can build a business, and will have customers even if you're giving up some IP. We haven't given up every piece of our IP in the company, but we've given up the standard space that is the crown jewel of our inventions. We are extremely proud and happy of that.
This is how I've been able to recruit the coolest engineers on the planet. This is how I say, "OK. Do you want to have an important job? Do you want to help to secure billions of people?" I think that is a very good way to operate.
Guy: That's a pretty good mission. You get some pretty committed people.
Stina: They say, "And how is Yubico going to make money?" And I say, "Yeah. Eventually we'll have competitors. Eventually it will be built in directly into computers and phones. But there are 7 billion people out there, and if we get a fraction of those, we're going to be really good."
Guy: Oftentimes also the expertise and the people driving the standard, first of all, help influence the agenda. Your vision and your alignment, you're generally always a few steps ahead of the world because you understand it in that very few people and entities do.
So, you can plan ahead and then you can also help indeed chart that path, because that's what you believe is next. But still, that's an amazing sentiment and mission to do it. I want to applaud it, it's not one that happens every time.
We see some initiatives, you look around now and you see things like Let's Encrypt that helps establish standardizing the creation of certificates or a certificate authority. They didn't invent anything necessarily, except maybe some automation components, but sacrificing a potentially profitable or good money-making certificate authority business in favor of doing something that expands the use of HTTPS and TLS. The world is positive and hopefully we'll see more of those.
Stina: I'm very optimistic about the world's future, I'm seeing a lot of these sharing community efforts in many aspects. The work we are doing is one of many, and in many of many standards work and collaboration projects. I'm seeing across the planet where people want the world to be better and contribute.
And the whole Linux thing, there is this community where you just give because you want to be part of something bigger. We've been fortunate, which has been very helpful for us, to actually be able to build a business around it and it was also necessary.
Because we needed the feedback from customers, and customers needed a product, and when you have a product you can earn some money.
It was in some ways really helpful that we were a corporation in order to-- If we had been a completely non-profit we wouldn't have been able to put out the product there and get the feedback and work with these customers on their problem. There are times where I feel like, "Are we a corporation or are we non-profit?" And I think we're both right now.
Guy: Yeah. That's fine. You're a corporation with a good mission for it, and that's a good one. I'd love to dig in on one specific aspect of it. This is that you have this standard, and these standards are the authentication standards. They're not identities. Can we talk a little bit about that? What's the difference between the authentication standards vs. who you are, your identity?
Stina: Authentication is the same person coming in again. It's the key to your house. It doesn't say, "This is Guy's key." It's just the key, and it has in the digital world, it has a number. With identity, that's you. It's the stuff that's on your driver's license or other means of personal information, and we don't do that part. But it is important to combine those pieces and we got a grant from NIST two years ago to figure out how we can combine the FIDO U2F with identity.
You can't even say this in America, in Sweden where I come from we can. How would a national ID system that is not owned and controlled by the government, or by corporations, how could that look using these standards and tying the user’s identities to it in a high-security, high-privacy way?" And we have figured out some cool ways to do it. We are now deploying this for their first users in California.
Guy: That sounds amazing and scary.
Stina: I don't personally want to go into the identity space, but there are ways to ensure that you keep your user's data fairly secure and don't collect too much data, just the data you need.
Guy: Hopefully there is a means to do it. At the end of the day we're in a world of federated identity, it's just not single federated identity. There's a bunch of them.
Stina: The FIDO U2F protocol that is now becoming FIDO2 protocol is a very good complement to the federated identity. The federated identity allows you to have a lot of identity data and go to many places, but it didn't solve the authentication problem.
The federated identity idea is like Facebook Connect. With Facebook Connect you can go to a lot of places, and you don't have to sign up for these places. If you tie a security key to Facebook Connect now you can securely log in to these places, but you are still using federated identities.
We have a strong collaboration, and I actually hired members off the open ID and SAML community into Yubico to figure out our next generation protocols. Because we are innovators. How do you tie the federated identities with this authentication piece in the most high-security, high-privacy way?
Our mission is a user-owned identity where you own and control your identity and give this to service providers, just the way when you come into a store and show your driver's license you choose when and how to show it and it doesn't necessarily stay with the identity provider.
Guy: Sounds like an area that definitely requires at the very least, some better solution. Right now where we are, currently reality is different.
Stina: Yeah, we're still figuring out what we believe again in open standards. The open standards are critical for adoption and to ensure you do the right thing. A lot of people looking at the same thing and scrutinizing and questioning is good, we are living in a time when you should not buy black box security. I would not recommend anyone to do that. "I'm the big brand. Go and trust me," that doesn't resonate well.
We have to remember that the hackers are always in front of us and will hack systems.
If it is an open standard it will be more, and if it's open source it will be more people who can identify when there's a problem and solve it in a transparent and agile way.
Guy: A bit of a side question for it, this is the technology and the technology evolution to it. To an extent we're seeing trends like 2-factor auth get stronger. It used to be something that was very niche, and now it’s much more standardized or accepted in whatever means there are.
What do you see in terms of adoption trends, or changes? Do you see hardware supported, or even software supported if we can, multifactor authentication and better security controls growing substantially? Or are we still 99% passwords and we're just living in a little bubble?
Stina: Maybe not 99, but not far away. It is the vast majority. I think Google put out some stats saying, "Only 10% of their users have turned it on." It has a very good effect. Which is interesting because we humans, we're not interested in adding anything that we believe is a little more complex. "We've figured out, OK."
People believe it's difficult, but this is actually easier than a username and password. Because once you register this to Facebook, for example, Facebook has set it up so you only have to do it once. You bless it to your phone and you bless it to your computer, and then you don't have to touch your key.
You can put that in a drawer unless you move to a new computer, and then you got strong 2-factor authentication without having the need for logging in with a complicated username/password. You can literally just open your computer and it's secure. But, I don't know. To answer your question the world needs more hacks. I don't want to say it, but--
Guy: Some more scars?
Stina: Every time there's been a major hack then my logistics team comes back, "Stina did you have a marketing push or something?" "No, there was just a big hack." Then the other is the GDPR, even if it's just in its start. This is in Europe, requiring corporations to take care of user data in a thoughtful way. If they're hacked it will be a big fine. It's a good start.
What I don't like with GDPR now is that it's fussy on what you should do, and it's a consultancy and bureaucracy of getting there. But the intention, "OK. You need to do something or you will be fined." The next step is that they would say, "And you actually have to have 2-factor," or you have to have whatever the recommendation is.
Guy: Right, set the standards for it. What I like about GDPR is it just aligns the incentives a little bit.
Means aside, just the fact that the fine is bigger, it's big enough to care more.
At the end of the day that's maybe one of the most important, in my mind, one of the most important aspects of it. That before the fines were too small, the price to pay from a direct cost penalty that you have to pay if you mishandled, if you under-invested in keeping your user's data secure or private for it was just too low. It was easier, or better business-wise to just not invest in it if you didn't fuss about it too much.
Stina: Going back to the seatbelt, after they invented the seatbelt and after we made it a standard the government came in and put out these regulations. First it was just mandatory, now they're beeping and really annoying.
Guy: At first people complained, and when I was growing up in the back seat you didn't have seat belts or boosters or whatever. They evolve.
Stina: The reality is seat belts have saved millions of lives, and 2-factor have already proven to be good, and it's not the only security problem on the planet but it's by far the biggest one. If you read all these breaches that are in the news, 80-90% of them are due to a hacked password or a weak credential in some way.
The most sensitive part is someone logging into a server. If I have a recommendation to a company, saying "What should I do?" I just say, "Start securing your privileged users, your admins with 2-factor." That's a very small investment that can have very big impact for a company. You can go and get these keys on Amazon from Yubico and other companies, it's a small investment. It's not difficult and you can set it up within hours and days, depending on the back-end infrastructure.
Guy: Yeah, it pays dividends very quickly. I'm looking forward to see even further evolutions from YubiKey because I believe in what you were saying, or you were attributing this to the seat belt creator.
People don't want to be uncomfortable even for a second.
As we make it more and more convenient to them, and maybe on the other side we make it inconvenient to not do it. Maybe have it prompt you again and again that you have to turn on that other security control. But the better you design, you and Jacob join minds with him and I'm sure an incredible team to figure out other means of just making it so streamlined that you don't even think about it, but you do the secure thing. That would help move us in having the 90- some percent to be on the other side of the equation.
Stina: No. I started this journey together with Jacob, and I'm thrilled and excited and honored with a global community we're working with today. We work with some of the smartest people at these tech giants and these open standards bodies, who really shared the same love for the internet.
The first time I actually logged into the internet it was almost a spiritual experience. I grew up in Sweden, we're not religious, but I got this sense. Like, "Here we are all connected. Here is this place where we have endless information for all of us to tap into. Isn't that God? Isn't that what someone says is God?"
I got goosebumps and since then I've loved the internet. It's a vital infrastructure for democracy and collaboration and the next thing mankind can do, and I'm here as one of many to help to secure its future to stay open.
Because some of the security discussions are like, "We need to lock down the openness because that's the only way to make it secure." So to ensure that you can have good security with good privacy, that's the difficult mission., but the one that we have just started. In a few years from now we'll see the results
Guy: Indeed. Before I let you go here, I have a whole bunch of other questions but we're already a little bit over time. I like to ask every guest on the show if you have one piece of advice or some word of wisdom to people looking to level up their game? Specifically on security, but maybe the broader. What would that be?
Stina: To level-up the game is to stay optimistic. I've met a lot of people who are cynical about the world and where we're going, and I am this unfaltering optimist that believes that, "Yes. Mankind is good at creating problems, but we are as good at solving them together."
When you tap into that mindset and that energy and find that community with people and peers who want to solve the same problem, it's just a really inspiring thing to do. Don't give up and don't be demotivated. The world will be more secure, and we can all help.
The best way to be part of this movement, I call it a movement, is to engage in open standards work. Download the open source code. Go and build products around these standards and figure out what we can do next.
What is the trust models that we could build when people can start to control their own authentication and identity? What is the new payment methods? IoT solutions? What can grow and flower from this? I am as curious to see what will come from these inventions than to see what Yubico has created.
Guy: That's a very good message to have. Thanks a lot, Stina, for coming on the show.
Stina: Thank you.
Guy: Thanks everybody for tuning in. Join us for the next one.