Yubico’s Chief Product Officer Guido Appenzeller Speaks Exclusively to CryptoNewsZ
Today at CryptoNewsZ, we are joined by angel investor and entrepreneur, Guido Appenzeller, Chief Product Officer of Yubico. Yubico was founded in Sweden in 2007 with the mission to make secure login easy and available for everyone. Yubico manufactures hardware authentication device YubiKey, that supports one-time passwords, public-key encryption, and authentication.
CryptoNewsZ: Guido, before we begin speaking about Yubico, I would love to know more about your expansive career, you are an angel investor and entrepreneur, and hold a Ph.D. from Stanford University, M.S. from the Karlsruhe Institute of Technology and has held several key positions at the well-known organizations. Our readers would love to know more about your journey and what prompted you to join Yubico?
That’s a great question actually! If I look back at my career, I have always liked early-stage startup or growth companies; companies that expand rapidly. Actually, VMware my last job where I was CTO for cloud networking and security was a really fascinating position. That was the first time I was an executive for a large company, crazy amount of travel, many places around the world and some fantastic speaking opportunities. And at the end of the day I wanted to go to something a little smaller and growing more rapidly, so I decided to leave VMware and started looking around. Actually, back then, I was already using the YubiKey 5C to secure my Gmail account and started to put my family on it as well. Then Martin Casado, general partner at Andreessen Horowitz and also a friend of mine said that he had just invested in Yubico and I should talk to these guys. We had a conversation and I was really excited about the company; this mission of trying to make the internet more secure, to get rid of passwords and to solve the big problems that are promised for big enterprises and also for consumers.
CryptoNewsZ: Guido, would you like to tell us more about Yubico’s its mission and vision? Would you want to elaborate further on this?
At a high-level, we are trying to make the internet more secure; which almost sounds preposterous. So, how can we do this with little plastic dongles? If you take a big step back and ask, today if data is leaked or websites are compromised or a bitcoin is stolen, somewhere in the attack chain, in the vast majority of cases, there is a step when attackers steal credentials. If I want to steal Bitcoin from you, I probably need to get your login and password information and then log in on your behalf onto a webpage. In many of these big corporate hacks, when somebody accesses the databases, they either phish With Yubikeys you can basically or sniff your login password combination to get to a backend system. It might be a time-based code which is used to get into the backend system. With Yubikeys you can basically make account takeovers from credentials theft extremely difficult, if not impossible. If you take a modern protocol, like FIDO/FIDO2, it’s phishing resistant, so I can’t be phishing attacked anymore; I can’t copy the key, that is, YubiKey which is a tamper resistant chip and never goes out. It basically closes one of the largest attack factors that is used for attacks on the internet for both the consumer space and enterprise space. So, if we can make everybody to use these more secure login mechanisms, we would make a huge leap forward in internet security.
CryptoNewsZ: YubiKey sounds like an integral and essential security solution for various industries. Would you like to tell us more about how YubiKey actually works?
Yubikey looks like a sophisticated version of a little plastic USB stick, which can sometimes be carried on a keychain. We have some really really tiny ones which you can plug into your laptop and leave it in there all the time. It looks like a really smart flash drive and looks even smaller; what you can do with YubiKey essentially is that you can enroll, for example, if you are using Gmail or any kind of website, like Coinbase, you can take that the key, enroll it and basically tell the website that only the people who show this key should be allowed to log in with your login password. From that point on, unless I have that key, I cannot log in to my account anymore. And the way these keys work is that there is basically a chip inside that is tamper resistant and it basically generates a key inside the chip and the key never leaves the chip. It is really hard. Even if I can get your key temporarily, I cannot create a copy of the chip. If I try to talk to the chip, it will not give up this internal key.
So, how people actually use it is that they take 2 YubiKeys; basically, you have one and the other is a backup at home in case you lose one. This provides an extremely secure, high level of security for protecting your online accounts. Google actually did it; guys from google security they wrote a blog post. They actually did a study and looked at around 360 thousand accounts that were attacked. Then they basically took these different attacks and put them in different buckets, like mass market phishing and highly targeted attacks. At the end of the day, secure keys were the only solution to zero account compromises. Not even a single of these 360 thousand accounts would have been hacked if they were protected with the security key, and that says how secure they are.
CryptoNewsZ: From what I gathered from our conversation so far, the YubiKey works with hundreds of enterprises, developer and consumer applications, with no client software. Would you please tell us how your team can manage such a seamless and secure access to millions of online services?
For me, that is actually something really really important. If I always have to install a driver before I use a key that takes away a lot of usability and the only way to get there is standards. We have been working with large companies like Google, Microsoft on standards, the FIDO/FIDO2 standards but to a large part written by Yubico. We have managed to convince everybody this a great path forward. Today, we have seen more and more sides implementing these authentication standards. I am convinced that in the future, all of us will use FIDO2 almost daily in order to login to sites. These are fantastic standards and are highly secure. I think it is the future of authentication.
CryptoNewsZ: Would you also tell us how can YubiKey be used across major operating systems and browsers and how does it support multiple authentication protocols in one device?
If you are a consumer and you just want to secure your Gmail or your Microsoft account, then typically these large sites are pretty good at quickly updating their systems to support the newest protocols. On the other hand, if I look at our typical enterprise, customers, today Yubico is used by, for example, banks, retail, organizations, travel and the government. They have a lot of classic legacy systems, so this is not a latest-generation of authentication it is not green field at all. And for those cases, Yubico supports a very long tail of authentication protocols. If we talk of FIDO/FIDO2, you can actually use YubiKey, the same way you use a smart card with a certificate; like if you wanted to do to a classic PKI, you can do that with YubiKey. Do you know the google authenticator like the little QR code that you scan, then you have the 6 digits number that you type in when you login? We can also do that with YubiKey where this number is now stored on your YubiKey. Actually, it is even more secure than just being stored on the phone. It is actually portable, so you can carry along in a phone and laptop. We have things like OTP which are really nice retrofit methods if you have a legacy system with radius and there is no easy way to update the authentication protocols, you can often also use OTP to make a big step forward. We have PGP, if you want to get a little more technical and probably use an SSH code for system administrators.
I think a huge new area of uses for YubiKey is really just starting to merge, and that is a fully password less login. So, if you have a Windows 10 computer and today, for example, as you have a user ID, without any client install you can still preview from Microsoft. Basically, without requiring any client install, you can use YubiKey, in order to do a fully password less login onto your machine. You just plug in to your YubiKey and you are logged out; this makes you completely get rid of passwords.
CryptoNewsZ: With the tremendous growth of the blockchain and the subsequent adoption of cryptocurrencies, security is one of the greatest concerns that looms over the industry. Would you please tell us how can YubiKey make securing cryptocurrency exchanges, accounts, and high-value transactions safe and easy?
We have a number of large customers in the cryptocurrency ecosystem who use YubiKeys internally and we also have some exchanges who use YubiKeys for the internal employees. We are also seeing more crypto end users use YubiKeys, and one of the things that is currently driving this ahead is actually sim swapping. If you go to a website and want to have an extra layer of security, what they do is send you an SMS code if you log in from a new browser or from a country where you haven’t logged in before, then you type in the code and you are logged in.
Actually, it’s a really bad idea. It’s better than nothing, arguably. But something which is reasonably easy to circumvent, for example, if I can get a fake ID and go to a A&T store and convince them that I am really you, they will give me a new sim card in your name. I will then start getting SMSs which normally you would have received. We have seen this attack getting executed quite successfully with people losing millions of dollars or probably more, because people got sim cards in their name, he directed the SMS and used it to break into and clear out cryptocurrency accounts. Today, using SMS is no longer considered sufficient security if you have substantial assets like more than a thousand dollars of cryptocurrencies in your account. In those cases, taking something like YubiKey provides you a much much higher level of security as it cannot be remotely copied. Either somebody has to physically take it away from you, otherwise they will not be able to successfully pretend that they are you.
CryptoNewsZ: Our readers would love to know, what sets YubiKey apart from the existing security solutions in the cryptocurrency domain?
Yubico was one of the pioneers in the space that has been driving lots of standards. We have very good compatibility with a large range of sites. If you go to our website, you can actually check if YubiKey would work with a particular site that you are using and how it will work. The keys are actually very robust, they are waterproof, they are crush proof. We have one case actually a dog ate a YubiKey, it came out from the other side and it still worked! I am proud of the engineering that goes in there. It’s a very versatile device. We just keep innovating, keep adding new features, new protocols to these keys.
CryptoNewsZ:Team Yubico plans to attend the upcoming San Francisco Blockchain Week, and you are a part of the panel at ‘Conveniently protecting your digital assets’ event; we would love to know more about the panel at the said event.
San Francisco Blockchain week sounds like a great event. We have a panel there. We are going to talk about many of the things that we talked about today. Basically, what are the big sort of attacks, incidents that we are seeing in the cryptocurrency space. There is a lot of money getting stolen but definitely hundreds of millions. In the attacks that we have seen, how do we protect against them? In practical terms, if you are in an exchange like somebody from Coinbase panel or if you are just an end consumer, how do you can protect your account? Great line of people. Really looking forward to the panel.
CryptoNewsZ: Guido, Yubico is undoubtedly an industry leader when it comes to critical areas such as providing security to digital assets & San Francisco Blockchain Week is a platform where great minds from blockchain & crypto will come together under one roof. According to you, how important yet convenient is it for the crypto & blockchain community to now understand the necessity to use solutions such as YubiKey to protect their digital assets? Do you think your presence at the event and in the panel will help in educating the crypto-masses about the same?
I think just giving the amount of theft, we have seen the space, it is really really important for security to take a step up in the space. We see this as a great opportunity to educate the community about what can be done and how easy it is. If you ever use YubiKey, you can literally plug it in and touch a contact and that is your authentication. It is a very very nice user experience. The security experience has always paid off between usability and security; if it is too hard to use nobody uses it. I think we have really hit a sweet spot there. If you have substantial crypto assets in an account today, you should use a security key to protect those assets.
CryptoNewsZ: According to you, can the San Francisco Blockchain Week help define the future of blockchain and cryptocurrency, especially in the United States?
It’s a great collection of people with some variant topics being discussed. I am definitely looking forward to it.
CryptoNewsZ: San Francisco Blockchain Week has a lot of amazing events lined up; which of these events is Yubico more interested in and what are your expectations from them?
All of these looks promising. I don’t think I have any particular favorite there.
CryptoNewsZ:Would you like to tell us about any upcoming launches or partnerships lined up at Yubico?
We are always working on exciting new products and we are working with a couple of very large partners and on some great new initiatives. Unfortunately, I can’t comment on what exactly is on the cards there.
CryptoNewsZ: Guido, Yubico has an immensely talented and a growing team of superstars who are industry leaders and innovators, representing 25 different nationalities, and are based out of eight countries; does Yubico have further plans for expansion?
Of course. We as a company are growing rapidly. We are always hiring — if you are interested in security, in cryptography, product management, sales or if you are from an engineering site, we would love to talk to you. I think there is still a great need to make the internet more secure and that means for Yubico there is great potential to grow.
CryptoNewsZ: Being named among the top 100 most intriguing entrepreneurs and christened as the World Economic Forum Technology Pioneer; what advice would you give to those currently trying to get a start-up off the ground?
The first thing I would like to do is give a shout to Stina, my boss, she is CEO of Yubico. She was just this year named as one of the most intriguing entrepreneurs by Goldman Sachs and got the honors. Congratulations to her!
Doing a startup probably was one of the most fun, intense and formative experiences of my life. I would encourage everybody to go and try but be realistic about what you do. It’s a crazy amount of work, there’s obviously risk involved, but you should give it a try. It is one thing that I can recommend to everyone is to pick your team very very carefully. If I look at startups, I think the number one reason why I see startups fail is because the teams break apart. If you have a team of people that share the same vision, that work together well, that you trust, then if bad things happen, you cluster together, you figure out how to overcome adversity and ultimately you succeed. If you have a team of people whom you don’t trust and you really don’t want to work with them, then in case of adversity things splinter, things get complicated. I can only highly recommend it. It has been a fantastic experience.
Thank you very much, Guido, that was quite an insightful interview. We at CryptonewsZ, thank you for your valuable time and wish you success for all your future ventures.