I’ve been directly or peripherally involved in the security community approaching two decades now: in the early 2000’s working with the intelligence community; as a PhD student researching networking security; subsequently at my startup Nicira where security was a major use case; and then running networking and security at VMware.
However, regardless of the environment or advances in the field, a lot of the fundamentals have remained unchanged. When building secure systems we often resort to one of two methods to establish a root of trust: either we entrust a human to a secret or we store that secret in hardware. Decades of experience have shown humans to be bad keepers of trust. They can be forgetful, predictable, or fooled into revealing that secret. While cyber systems themselves have become ever more secure, humans remain as fallible as ever.
This is dramatically reflected in how systems are attacked today. A 2018 breach report from Verizon notes that 93 percent of data breaches involved phishing, with email being the most common social attack vector at 96 percent.
The only approach that’s been broadly effective against these sorts of attacks is the use of a hardware-backed security key to authenticate users. A particularly compelling example of this is the two-year study published by Google. Prior to deploying the security keys, Google employees were being targeted by fairly sophisticated attackers to take over accounts. Through deploying security keys, Google was able to bring that number down to zero.
Security keys have seen an massive swell in adoption over the last few years due to successes like the one at Google and this was largely driven by Yubico, creator of the security key and pioneering contributor to the most widely adopted open authentication standards. I’m very excited to be announcing our investment in Yubico where I’ll be taking a board seat. Yubico — as the company behind the YubiKey, the enormously popular hardware security key that supports a number of open authentication standards and cryptographic functions to protect users online — is well positioned to play a critical role in securing the Internet.
YubiKeys work natively with leading online services such as Google Apps, Facebook, Salesforce, and hundreds more. They are also used by 19 of the top 20 Internet companies and thousands of organizations worldwide. When we were diligencing Yubico prior to our investment, we had a hard time finding a security staff that didn’t use YubiKeys personally and/or had adopted them internally.
Every employee at a16z has a YubiKey to protect their accounts. We made this decision prior to becoming a major investor in the company because we believe it’s the most secure approach to protecting our accounts and the sensitive data we are entrusted with.
In addition to being a best practice for modern tech companies, YubiKeys are used in some of the most sensitive operations on the planet. Key dissidents under oppressive regimes use them. The Freedom of the Press Foundation use YubiKeys to protect journalists and whistleblowers worldwide, and major governmental election campaigns have adopted them.
While Yubico is best known for the YubiKey, its initial product, the company’s goal is to be the trusted hardware security provider for the Internet. Last year, they launched a new HSM product, which is a hardware security module (small as a thumbnail) that can be used on servers for key management and other cryptographic primitives. The YubiHSM has already seen tremendous early interest and adoption.
My first meeting with Yubico was with their founder and CEO, Stina Ehrensvard. At the time, I knew a lot about the product (as most people in security do), but very little about the personalities behind it — and I was blown away. Stina laid out the history and the grand vision of the company, and I want to highlight a few things that made quite an impression. First, her goal since inception has been global and sweeping: to secure the Internet for every user. Second, a Swedish national, she came to Silicon Valley as an outsider and has not only helped to create a standard that has been widely adopted (including by Google and Microsoft), but she’s built a profitable and hugely successful company on little outside capital.
Internet security is an area I’m personally very passionate about and I’m a true believer in the Yubico vision and approach. I’m thrilled to be joining the board and working with the team on this journey forward.