I’ve been directly or peripherally involved in the security community approaching two decades now: in the early 2000’s working with the intelligence community; as a PhD student researching networking security; subsequently at my startup Nicira where security was a major use case; and then running networking and security at VMware.
However, regardless of the environment or advances in the field, a lot of the fundamentals have remained unchanged. When building secure systems we often resort to one of two methods to establish a root of trust: either we entrust a human to a secret or we store that secret in hardware. Decades of experience have shown humans to be bad keepers of trust. They can be forgetful, predictable, or fooled into revealing that secret. While cyber systems themselves have become ever more secure, humans remain as fallible as ever.
This is dramatically reflected in how systems are attacked today. A 2018 breach report from Verizon notes that 93 percent of data breaches involved phishing, with email being the most common social attack vector at 96 percent.
The only approach that’s been broadly effective against these sorts of attacks is the use of a hardware-backed security key to authenticate users. A particularly compelling example of this is the two-year study published by Google. Prior to deploying the security keys, Google employees were being targeted by fairly sophisticated attackers to take over accounts. Through deploying security keys, Google was able to bring that number down to zero.
Security keys have seen an massive swell in adoption over the last few years due to successes like the one at Google and this was largely driven by Yubico, creator of the security key and pioneering contributor to the most widely adopted open authentication standards. I’m very excited to be announcing our investment in Yubico where I’ll be taking a board seat. Yubico — as the company behind the YubiKey, the enormously popular hardware security key that supports a number of open authentication standards and cryptographic functions to protect users online — is well positioned to play a critical role in securing the Internet.
YubiKeys work natively with leading online services such as Google Apps, Facebook, Salesforce, and hundreds more. They are also used by 19 of the top 20 Internet companies and thousands of organizations worldwide. When we were diligencing Yubico prior to our investment, we had a hard time finding a security staff that didn’t use YubiKeys personally and/or had adopted them internally.
Every employee at a16z has a YubiKey to protect their accounts. We made this decision prior to becoming a major investor in the company because we believe it’s the most secure approach to protecting our accounts and the sensitive data we are entrusted with.
In addition to being a best practice for modern tech companies, YubiKeys are used in some of the most sensitive operations on the planet. Key dissidents under oppressive regimes use them. The Freedom of the Press Foundation use YubiKeys to protect journalists and whistleblowers worldwide, and major governmental election campaigns have adopted them.
While Yubico is best known for the YubiKey, its initial product, the company’s goal is to be the trusted hardware security provider for the Internet. Last year, they launched a new HSM product, which is a hardware security module (small as a thumbnail) that can be used on servers for key management and other cryptographic primitives. The YubiHSM has already seen tremendous early interest and adoption.
My first meeting with Yubico was with their founder and CEO, Stina Ehrensvard. At the time, I knew a lot about the product (as most people in security do), but very little about the personalities behind it — and I was blown away. Stina laid out the history and the grand vision of the company, and I want to highlight a few things that made quite an impression. First, her goal since inception has been global and sweeping: to secure the Internet for every user. Second, a Swedish national, she came to Silicon Valley as an outsider and has not only helped to create a standard that has been widely adopted (including by Google and Microsoft), but she’s built a profitable and hugely successful company on little outside capital.
Internet security is an area I’m personally very passionate about and I’m a true believer in the Yubico vision and approach. I’m thrilled to be joining the board and working with the team on this journey forward.
The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation.
This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/.
Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.