SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Exclusive: Yubico protects against phishing with YubiKeys
Fri, 3rd Mar 2023

Yubico, the inventor of the YubiKey, is a global authentication leader that makes secure logins easy and available to everyone.

YubiKeys are the gold standard for phishing-resistant multi-factor authentication (MFA), enabling one single device to work across any number of services. They are used and loved by many of the world's largest organisations and millions of customers in more than 160 countries.

Yubico has employees in more than 14 countries, and YubiKeys are manufactured at the company's secure facilities in Sweden and the US. YubiKeys have won the trust of the largest enterprises and millions of users across the globe, including in Asia Pacific, where Yubico has been operating for more than a decade.

Founded in Sweden in 2007, Yubico's mission is to make secure logins easy and available for everyone. In 2011, Stina Ehrensvärd, Co-Founder, former CEO and now Chief Evangelist, moved with her husband and Co-Founder to Silicon Valley to make the dream a reality.

"As the creator and core contributor to the FIDO2, WebAuthn, and FIDO Universal 2nd Factor (U2F) open authentication standards, Yubico is a pioneer in delivering modern, hardware-based authentication and security at scale," says Geoff Schomburgk, Asia Pacific Vice President at Yubico.

"YubiKeys are extremely easy to set up and use. They feature all of the modern security protocols, including FIDO2/WebAuthn and FIDO U2F, SmartCard (PIV), OTP, OpenPGP, and more. And come in a range of form factors to suit a variety of desktop, laptop and mobile applications.

"YubiKeys have no breakable screens, do not require a battery, are both crush-proof and water-resistant, and can be used in sterile environments where smart devices are prohibited."

Phishing attacks are the most common way online accounts are breached today. According to Proofpoint's 2022 State of the Phish, 92% of Australian organisations suffered a successful attack last year, 53% higher than in 2021.

While spam filters catch many phishing emails, newer and more sophisticated ones can still get through. Phishing emails are intended to trick people into giving up information about their accounts or identity and are evolving to be more convincing and realistic to avoid spam filters.

So spam filters are a good thing, but they need to be foolproof.

In addition, SMS phishing has become extremely prevalent, and many people are being caught out by messages sent to their phones pretending to be someone they know that has lost their phone and needs money.

Yubico does acknowledge that any form of 2FA is better than just a username and password. But methods such as receiving a PIN or passcode via text message or using a mobile authenticator app are behaviours that are highly susceptible to phishing attacks, man-in-the-middle (MiTM) attacks and account takeovers. They do not offer the best user experience, and they also do not provide phishing-resistant MFA, which is the main problem.

Phishing is the predominant method employed by cybercriminals to steal usernames and passwords. Without a second form of authentication, the basic username and password are easily obtained by cybercriminals. They do this by masquerading as a reputable or known entity or person in an email, instant message, or another communication channel.

This type of credential theft allows criminals to reset passwords, lock victims out of their accounts, download private data, and gain access to their mobile phones, computers and even other computers on the network. Worse, they may even wipe the victim's data and backups.

Passwords are often identified as the weak link in cybersecurity, with password security issues accounting for 80% of all data breaches globally, according to Verizon's 2022 Data Breach Investigations Report. However, much of this weakness can be attributed to human failure to practice good password hygiene.

As stated above, many current forms of MFA are susceptible to phishing attacks. Yubico and members of the FIDO alliance have created the FIDO authentication standard, a more secure and convenient form of multi-factor authentication, in response to this.

Specifically, the FIDO2 standard with a physical security key, like a YubiKey, requires the user to have the security key and enter a PIN or biometric. An attacker cannot capture these details, therefore, the system and user are fully protected.

"In a time when the world economy is slowing down, Yubico is in a better place than it has ever been. We continue to grow our revenue, customer base, product portfolio, manufacturing capacity and team," Geoff Schomburgk notes.

"After years of security standards development and innovation in secure authentication, Yubico is uniquely positioned to help organisations meet current and future cybersecurity requirements."

Phishing-resistant MFA is immune from attempts to compromise or subvert the authentication process. Phishing resistance within an authentication mechanism is achieved by not only requiring that each party provide proof of their identity (something you have) but also intent through deliberate action (something you know).

Contrary to popular belief, passwords, SMS and other One-Time Passwords (OTP), security questions and even push notifications are not phishing-resistant methods as they are all susceptible to some or all forms of cyber attacks.

Nonetheless, MFA can be phishing-resistant via a hardware security key, like a YubiKey, which is proven to be the most secure form of MFA. In fact, a Google study found that security keys blocked 100% of attacks, compared to SMS-based MFA, which only blocked 76% of attacks.

YubiKeys are phishing-resistant because they require proof of possession and the presence of the user to log in or gain access. They are also easy to use, delivering a seamless experience by letting users log in with a single tap or touch on the YubiKey. Also, once an app or service is verified, it can stay verified, and you don't need to use the YubiKey every time you log in.

Thousands of companies and millions of end-users use YubiKeys to simplify and secure logins to computers, internet services, and mobile apps. Yubico works with open standards, such as FIDO and others, and the major system providers also adopt these open standards to provide MFA in their applications.

As a result, YubiKeys work seamlessly out of the box with hundreds of applications, many of which are listed in our Works With YubiKey Catalog. YubiKeys do not require any software and are easy to set up and use. The user simply touches the YubiKey to verify, and they're in. So it is very straightforward for businesses, small or large, to deploy YubiKeys.

Yubico operates a two-tier channel model in the APAC region. We have a main distributor for each territory and a network of authorised and certified resellers. All of our distributors and resellers are listed on our website.

In addition, the company also works with technology partners to jointly promote the benefits of phishing-resistant MFA. For example, as one of the founding members of the FIDO Alliance, Yubico works closely with partners such as Google, Microsoft, and Apple and identity management providers such as Okta, Ping, and Cisco/Duo, as well as many others to promote the benefits of phishing resistant MFA.

"Adopting phishing-resistant MFA with YubiKeys for your organisation will nullify an attacker's ability to intercept credentials, and ultimately limit authentication action so it can only take place between the destination and the user's device," Geoff Schomburgk adds.

"Implementing these standards is the best-known and most secure way to prevent phishing and account takeovers."