Yubico’s Stina Ehrensvärd on security keys and second layers
by Sarah Brown on
We’re kicking off the new year on our podcast, Random but Memorable, by talking with Stina Ehrensvärd, co-founder and CEO of Yubico. Stina started the company in 2007 with her husband, a former white hat hacker, after realizing just how easy it would have been to hack her bank account.
If you’re wondering how a security key or other external two-factor authentication (2FA) device could benefit you or your business, read on to learn more.
A security key is a small physical device that adds a second layer of protection to your online accounts. When two-factor authentication is turned on for your accounts, you are prompted to use your second factor any time you sign in from a new device. A small security key like Yubico’s YubiKey fits in your pocket. It can be used as an extra layer of protection on 1Password, Google, macOS, Firefox, and more.
Support for these keys is built in to most web browsers via Yubico’s new WebAuthn API, creating what Stina calls “the seatbelt for the internet.” WebAuthn is backward-compatible with Universal 2nd Factor (U2F), so any certified U2F security keys will work with the WebAuthn-enabled flow. We’re excited to be included alongside Google and GitHub to be some of the first to adopt the new browser standard developed by Yubico.
Although a security key provides extra protection, it doesn’t eliminate the need for passwords. Passwords are still the industry standard for online accounts, and that isn’t changing anytime soon. Security keys, like biometric authentication, work with your strong, unique passwords to protect your account against hackers. However, biometric authentication like Face ID and fingerprints operate within a margin of error.
“What I like about using YubiKey and a password or PIN, is that it’s exact. It’s 100% or nothing,” says Stina.
This dual setup provides a higher level of hardware-based security by allowing you to use the same security key across multiple services, browsers, and applications. Although combining a password manager with a security key provides the best protection, adding a second factor doesn’t mean you can get away with a weaker Master Password or reusing the same password across multiple sites. Password reuse, or using the same password for multiple accounts, leaves you vulnerable to hackers and account lockouts. That’s why your Master Password, which is used for the encryption of your data, is still instrumental in protecting your 1Password account.
If you or your business has dealt with the fallout of a breach or hack, you know how much trouble it causes. Adding an external authentication factor gives you peace of mind that your accounts are protected. Apps like Google Authenticator use your phone to add this second layer by prompting you to open the app and type out the six-digit code.
However, using your phone as your single authenticator and login method only works if you always have your phone on hand. It can pose a problem if you’re not allowed to bring a phone on-site, or if it’s ever lost or stolen. Using a security key instead of an app allows you to access your accounts without needing your phone. “I’m not advocating that hardware is the solution for everything, but if you want good security, it’s proven to work,” says Stina.
Using a password manager and combining it with a physical security key like YubiKey eliminates the chances of being hacked remotely, giving you peace of mind when it comes to the safety of your data.
“The internet was not designed for security, it was designed for sharing,” Stina explains. This is the problem that inspired Yubico’s mission, which is to develop a standard that will help every person on the planet to be more secure.
If you’re interested in learning more about how a security key could protect you, listen to this week’s podcast. If you have a YubiKey already, you can register it with your 1Password account by following these setup instructions.