Yubico CEO Stina Ehrensvärd joins Yahoo Finance Live to discuss how to help consumers stay safe online in this week’s Tech Support.
DAN HOWLEY: Welcome back. We're here on World Password Day. I am Dan Howley, and we're speaking with the CEO of Yubico, Stina Ehrensvard. And we're going to talk about right now for tech support is these little keys. Essentially what they are is a means to protect your password and your accounts anywhere in the world. So I want to welcome in Stina. And Stina, can you just give us an idea of what Yubico does?
STINA EHRENSVARD: So thank you for inviting me here today. This little key you see here is called a YubiKey. And it is designed to protect your login. We are in a time where passwords are the number-one security reason-- the reason why we are seeing all these attacks on the internet. And we have to stop that.
And passwords are not secure enough, and SMS is not secure enough, and the phones and the apps on the phones are not secure enough. So we invented this little key that you plug into your computer or your-- tap to your phone, and you will not be hacked.
ALEXIS KEENAN: Hi Stina, this Alexis Keenan here. Now, I've been talking to users of these mobile apps of online platforms that allow customers to exchange-- whether it's cash, crypto, securities-- exchange money between them. And so some of these customers have lost hundreds of dollars. Some of them have lost hundreds of thousands of dollars.
And also during the pandemic, there's been this increased adoption of these platforms getting infiltrated by bad actors. So why are companies that are in the business, the very business of letting consumers exchange money between them-- why aren't they adopting these types of physical keys and this higher level of security?
STINA EHRENSVARD: Well, they are adopting it. We have shipped more than 15 million of these keys to 160 countries. And all the leading tech platforms, all the social media, all the leading password managers-- there are several government services, and now there are some banks in the process of making support for these keys. So it's just a matter of time. Very good progress.
DAN HOWLEY: So Stina, I sent one of these up on my iPhone. I have an iPhone 12, because I'm bougie like that. And obviously, you have the lightning connector here. You plug this in. And I managed to set it up for my Google account, where I was able to use this as the form of two-factor authentication.
And essentially, for people who don't know, two-factor authentication-- which you should all have, by the way-- is a means to use, say, text messages or an authenticator app to get a secondary password for your account. So you type in your password, you get this two-factor authentication notification. Now, this overtakes that two-factor authentication, right? So that instead of running the risk of, for instance, someone being able to copy your SIM card and getting the text messages that you would need for your two-factor authentication, this would fit in in place of that. And these can't be spoofed, is that right?
STINA EHRENSVARD: Exactly. So the problem today is that-- we've learned that using one password is not secure enough. But an app that you download on your phone or an SMS are no longer secure enough for the modern kind of phishing attacks that hijacks a session, and you don't know that you're attacked. We have learned that we shouldn't click on, you know, links that come in your email, PDFs that comes from someone that you don't know. But the problem is, you don't even see these kind of new attacks. They just happens in real time.
They're called man-in-the-middle attacks or advanced phishing. We learned about them at a higher-- it became more public. This kind of new breach become more public last year when Twitter was hacked. So what we designed was a physical hardware key that stops these attacks and can be used across any number of services.
And you set it up with your computer and your phone-- and with most services that you set it up with, you only have to register it once, and then it just works out of the box. So you don't actually have to bring the key every time you log in, which is-- which makes it super easy to use.
ALEXIS KEENAN: So Stina--
STINA EHRENSVARD: And we created a standard-- yeah, I just want to let you know that we created a standard around this. Because we said, it cannot work if I have one key to every service I have to log into. So our company was founded in Sweden. And then we moved to California to work with the tech giants, to work with Google and Microsoft and Facebook and all the leading browsers and platforms to get this into the devices and into the platforms and into the browsers.
ALEXIS KEENAN: And you've got an impressive list of investors and advisors, I see, too. I want to ask you about the fact that around the globe, there's not really the infrastructure and the regulation yet to make sure that all of these types of new types of money platforms are secure. So with there being no legal resource for folks who have lost money from these types of accounts, how exactly do you impress upon consumers that not all two-factor authentication is created equal?
STINA EHRENSVARD: I would start saying that every-- every kind of two-factor authentication is better than a username and password. But SMS-- that is the most common-- is definitely not secure enough. It can be-- it is being hacked at scale. An app that you download on your phone is far better than a username and password, but is not secure enough for the more advanced phishing attacks.
Smartcards-- and some of the more advanced traditional two-factor authentication we've learned to use with our bank, these bank authentication tokens, some of them are fairly secure. But they only work for one service. And you have to use them every time. So we wanted to create was a key that can work across any number of services. And once you set it up, it just works. You don't have to bring it up every time.