Video: 10 Minute IT Jams - Yubico on the reality of a passwordless future
Securing online identities is becoming more important - and more challenging - than ever. One company on the frontlines of this shift is Yubico, founded in 2007 with a clear mission: to make secure logins easy and affordable for everyone.
Best known for its hardware security device, the YubiKey, Yubico aims to put strong, multi-factor authentication into the hands of organisations and individuals across Australia and New Zealand. Speaking on today's 10 Minute IT Jam, Jeff Schoenberg, Yubico's Vice President for Australia and New Zealand, shared insights on the evolving threats to online security and why he believes hardware-based authentication is essential.
"The YubiKey provides strong multi-factor authentication to protect people's online presence from things like phishing or man-in-the-middle attacks - those sorts of compromises to your identity online," he said.
Schoenberg likened the YubiKey to a small USB device, whose simplicity belies its strength in defending digital accounts. Unlike many security solutions, it does not require additional client software or complex setup and works with a single touch.
But why is an external device necessary? The answer, Schoenberg argued, lies in the failings of passwords themselves.
"I think we're all sick of passwords, that's a general sentiment that you hear," he said. With so many applications, he estimates most people have over a hundred different passwords, all with their own rules, expiry periods and complexity requirements. "Basically, it's just become really, really complex," he explained.
As a result, people tend to reuse the same password across multiple accounts, a behaviour which underpins a significant number of data breaches. "Our research shows that over 80 per cent of data breaches are as a result of stolen or compromised credentials - username and password," Schoenberg revealed.
The consequences for organisations can be severe. "In Australia and New Zealand, the average cost of a data breach is well over two million dollars, which is pretty significant," he said. Costs aside, there are further implications: business disruption, damage to brand reputation, and potential regulatory fines for sectors like finance. "There's plenty of high-profile examples, far too regularly, of how that's seen in the marketplace," Schoenberg added.
Against this backdrop, the move towards passwordless authentication is gaining momentum. Passwordless can take many forms - from an SMS code to a magic link in an email - but Yubico and other industry leaders are investing in a new standard: FIDO (Fast Identity Online).
"Ubico developed the first version of that, U2F FIDO U2F. Passwordless today is now based on a standard called WebAuthn," Schoenberg explained, referencing the FIDO2 protocols that now underpin passwordless solutions from companies like Yubico. "What that is about is making it strong security that can't be phished, but as well as designing in, from the outset, the convenience and one-touch simplicity."
Such hardware-based standards offer two major benefits. Firstly, they make it far more difficult for hackers to steal credentials using phishing or other attacks, since there is no password to intercept. Secondly, they can be easily scaled for large organisations, with Schoenberg noting: "Because it's a global standard, it's designed with scale in mind. That enables a faster rollout of these passwordless solutions."
However, most people are still obliged to use passwords, and password managers have become a popular intermediary step. Schoenberg is supportive, albeit with a caveat. "We're very supportive of password managers because it removes some of that complexity. But you're putting all your eggs in one basket, so there's still a bit of a risk there. We absolutely support password managers, but absolutely would support that you protect that with strong multi-factor authentication, like the YubiKey as well," he said.
Asked how close we are to a truly passwordless future, Schoenberg was realistic: "Moving everything onto this passwordless standard is not going to happen overnight, but some of the industry leaders are really taking us towards that today."
He pointed to recent moves in the sector: "Back in March, Microsoft launched their passwordless authentication on their Azure Active Directory platform. Anyone that's using Office 365 is well familiar with that, so that's available today," he explained. Google, Microsoft and other members of the FIDO Alliance, including Yubico itself, are driving momentum for adoption.
Other platform providers, such as Ping and Okta, are also integrating FIDO passwordless authentication into their systems. "It's coming, it's available today in limited forms, but over time you can see that momentum is really going to build," Schoenberg said.
Crucially, global standards not only make technology easier to adopt for companies, but also ensure that ease of use is a priority for end-users. "It's got user convenience baked into it, so there'll be demand from the user community. That will make it a reality sooner rather than later," he added.
Still, it may be several years before passwords are a thing of the past. The sheer number of applications and legacy systems means the transition will be slow. "It's not going to happen overnight, because of the legacy that we have with so many different applications using so many different passwords and other methods," Schoenberg said.
Nevertheless, Yubico's leadership - alongside its global partners - is accelerating the shift towards a more secure, passwordless world. As our conversation concluded, Schoenberg reinforced both the challenge and the opportunity at hand: "We support [password managers] absolutely, but absolutely protect it with strong multi-factor authentication as well," he said, capturing the pragmatic approach needed for robust digital security today.
