«Security Now! Transcript of Episode #143 Page 1 of 30 Transcript of Episode #143 YubiKey Description: Steve and Leo delve into the detailed operation ...»
"I took Bill's drive to work with me the following week and put it back in his laptop. It booted right up, and Bill was able to recover hundreds of family photos he'd been storing on his laptop for years. Elated and grateful, Bill offered to pay me for my services.
Instead, I asked that he make a donation for his gratitude. Here's what I got from him this week. He said, quote, 'Pete. Hopefully by now you received my two voicemails letting you know I dropped off your hardware back on your box. I was able to capture all of my family pics. Many thanks. I made a donation to St. Jude's Children's Hospital in your name for $200. Again, many thanks. Cheers and regards, Bill.'" So then Pete ends saying, "I'm glad I could make a difference, but you and your wonderful product SpinRite made it possible."
Steve: So I thought that was really neat.
Leo: Nice story. Nice story. Now would you like to introduce our guest? Because Stina's on the line with us right now.
Steve: Hey, Stina. Welcome, and it's nice to talk to you again. I guess it was, what, about four weeks ago that we bumped into each other at the top of the elevators in San Francisco.
STINA EHRENSVRD: Yeah, that was my lucky day. It's been - and thanks for inviting me.
And you've been a relief for me. I mean, it's been literally around hundreds of emails that come from all over the world who's now, you know, ordering our stuff and asking all these kind of questions. And things are taking off.
Steve: Well, that's fantastic. I'm going to talk about the technology and the detailed operations of the YubiKey after we're through talking to you. But I loved your story sort of about where the name came from, where the company came from, and also sort of your vision for authentication. So I wanted you to - I thought our listeners would get a kick out of hearing it directly from you.
Leo: Are you a security researcher, Stina? What's your background?
then Simon, who is the - another Internet security expert in the team. He's been, you know, putting some efforts into this, too.
Leo: So you're a product designer. And are you a security buff? Or was it all your husband's idea? Or how did this come about?
STINA: We worked very closely. I asked all these stupid questions and, you know. I can tell you, actually, you know, we started together working as a - we actually cofounded a company called Cypak a few years ago, Jacob and I. And this was in the RFID space. And one of the many applications for the technology was the [indiscernible] smart card with a PIN keypad on the card itself. And we called this card the PIN-on-Card. And we were very proud of it because it was so secure. I mean, I think it could have been one of the most secure solutions ever invented. We got the European Innovation Award, 200,000 euros for this. And we were just, you know, the world wants, needs this. And we were just so excited. Until we started talking with customers.
You know, we hadn't even thought about that this card - and it was very secure. But it required a specific [indiscernible] chip built into a specific card with an integrated keypad. And it had to be connected in our [indiscernible] reader. And it needed client software. So when we actually - we were approached by an online bank. And we were planning a pilot with them. But by the end of the day they, you know, one of their bank guys called me up and said we really like the automatic thing. But we don't like the card reader, and we don't like the client software. Our customers, they are, you know, they are from all platforms, all browsers. The Windows versions, the Mac, Firefox. And this client software thing would probably require us to hire 30 new full-time employees only to take care of all the online support.
So this bank guy, he said to us, you know, you're good inventors. But, you know, you can come back when you've removed the client software and the reader. So that was a good challenge. We, you know, we said okay, thanks, we'll make a try. And we started to examine it, you know, looked at the computer, Jacob and I, and I asked a stupid question, you know? I said, there's a keyboard to this computer. You know, and that doesn't require a driver. And he said, hmm, yeah, you're right. So, you know, why couldn't we make a code generator that's simulating the HID driver, you know, acting the same way, with - and we, you know. And, yes, that's where the idea started.
And so we went back to the bank. We got - first we got rid of the client software, and then we made it into a USB fob to get rid of the reader. And we reduced the 12 buttons to one little button. And this was the first version of YubiKey. It was a fat, you know, looked almost like any other USB memory. And that guy who looked at it, he said, hmm, this is an interesting concept. But there's one problem. We prefer to buy security solutions from the big guys. So anyway, I thought it was a good comment.
STINA: Yes, just without imagination. So I thought I wanted a friendly name. And I like the word "ubiquitous." I envision this to be everywhere, mass market. So I started playing with the word "ubiquitous," and I ended up with Yubico. That's it.
STINA: So we, you know, so the first step, I had the prototype version. And now I realized I needed someone to say that this was a good product. So I asked people, you know, who can write a security report for me? And I came in contact with Simon. And he wrote an independent third-party security report. You know, the one I sent you, Steve?
Steve: Yes, yes, right.
STINA: And the good thing with this was when Simon had written his paper, he was so enthusiastic. So he said - he asked me if he could invest in the company and work for me. Well, but the problem was that I no longer had an independent security review, but I had the perfect inventor. So, yeah, you know.
Leo: It's a good sign when the guy reviewing your security says can I work for you.
STINA: Yeah, and it's on the website tomorrow, so anyone can look at this. It's, you know, it's not third-party, but he was third-party when he wrote it, you know. And Simon, he's a great guy. He is very passionate about open source security. And he recommended me at that time to fly over from Stockholm to an Internet identity workshop in California, and where I could learn more about this OpenID initiative that we think is a great initiative. And, you know, I would learn how we could fit in YubiKey in OpenID so we could enable one YubiKey to go to all Internets.
So I went to California to this workshop. And I met a guy from VeriSign. And he introduced me to another guy at VeriSign. And this guy, he said that the YubiKey could be quite interesting for them, "if." You know, this is the story. It's always been "if." If we could make this device to fit in a wallet and make it very, very cheap and in big volumes. So I thanked him for his feedback. I fly back to Sweden and started, you know, looking for designs. I'm a product designer, so I went on the Internet and said what are - what kind of USB devices are there that are really thin? And the other day a friend of mine gave me a very minimalistic USB key. It was just designed in two parts, a little circuit board and a plastic casing, that's it. So when I saw it I thought, you can't make it smaller, can't make it thinner, can't make it less expensive. And that's, you know, that was the inspiration to the current YubiKey design.
And meanwhile I had met this guy at VeriSign, he had introduced me to another guy Security Now! Transcript of Episode #143 Page 10 of 30 at eBay. And I sent him, actually sent him the first version because we had - the thing wasn't ready yet. But I sent him the first version of the fat YubiKey. And I asked him to look at it because I thought eBay might be a big customer for me. And he said, you know, he wasn't very interested. He even didn't want to look at it. It took him four weeks before he even answered my emails. But then one Sunday in October he came back. And he - yeah. Actually this is what he wrote. So I'm reading from his email: "Dear Stina. I have now tested your product. I'm impressed by its simplicity. I think the YubiKey is the only hardware authentication token that would fulfill the requirements for Web 2.0 services. Looking forward to a further dialogue."
You know, that was a good email. So it just took four weeks. And after that he left eBay, and he started working for Yubico in California.
Leo: You're stealing people left and right.
STINA: So now I had an office in California. So I had an office in California, one in Stockholm. So it was Simon, me, and Paul. And, well, in January the little thin YubiKey was ready. And we started shipping the first pilot box. It was to one of Paul's friends who has set up a Chinese IPTV company called Dragon IPTV. We have a, you know, a theme on our website and a film actually show that service. And, you know, we're very enthusiastic because, you know, within a couple of months we had five pilots starting. And we didn't really understand, you know, the customers, they were so happy, they came back, and they said this works so perfect, and the users love it. But the business really didn't - we didn't get any next orders. And eventually we asked them, and they said, you know, there is one problem. There's always one problem. And now they said, you haven't given us a price list, and we don't really understand your business model. Is this open source, or is it not open source? You know, you haven't been perfectly clear on that.
So when we started Yubico, Simon and I, we had envisioned Yubico as an open source company, a web shop where it's free SDKs with a developers community around it and with almost no salespeople, you know, people just sort of sending out things from the web shop, and no flashy offices, eliminating all the expensive layers of distributors and resellers who are now driving up the prices in these, you know, existing Internet security infrastructure. And Simon and I, we were very excited about this idea. We tested it on some Internet security professionals and other safe people we know in this industry. And they all warned us. Actually they warned us.
They said you're, you know, it's too risky. We would not recommend you to do that.
So we were sort of standing on one leg. You know, we didn't make [indiscernible].
The customers want to buy from us. We couldn't give them a price list. Because we didn't know, you know, we didn't know who we were. We just knew we had a great product. And then I bumped into you, Steve, so you made us, you forced us to make that decision, you know, emails coming, you know, literally they came in, you know, in my email box, hundreds of them. And I had to call Simon, you know, they're asking for prices. You know, we have to give them some prices. And they're asking for the SDKs. You know, [indiscernible] software [indiscernible]? And then I had another investor who actually joined a little later, a former CEO of Microsoft. So I called - he's the other, you know, we are the only ones taking the big decisions of this company so far. So it was very easy to make an on-the-phone-call decision, okay, now we go, just shift. We know we are taking risks. We know there are big challenges. But this is the way we want to do it, and this is the way that feels right Security Now! Transcript of Episode #143 Page 11 of 30
Leo: I have to apologize because we probably should have explained what the YubiKey is because I think there are some people who are probably listening, going, all right.
[Talking simultaneously] Leo:...synopsize, Steve, give us a...
Steve: Yeah, I'll be covering that after we're through talking to Stina, in detail. But essentially it is what we talked about two weeks ago. It is an amazingly small little, essentially, piece of plastic that is an emulator of a USB keyboard. So it's - we have pictures of it in our show notes from two weeks ago and also this week's show notes, so people can see what it looks like. Or they can just go to Yubico.com and see pictures of it there. It contains cryptographic technology which essentially produces a one-time password which is typed into your computer by this little piece of plastic, by the YubiKey.
Leo: It shows up as a standard USB keyboard, as an HID device.
Leo: So it can do that. I mean, there's no magic, and it works with everything that supports HID, which is pretty much everything.
Steve: Well, exactly. So it's OS independent. And what Stina was saying before, the problem that people had with the RFID approach was that it needed - there had to be a companion reader, and you had to have client-side software in order to interface it. And what's so cool about this is, I mean, it's funny because when I bumped into Stina at the RSA conference, she was standing there and saw my press credentials and thought, well, maybe I could - I'm sure she was doing this with other press people, too. Maybe this person, who I don't...
STINA: I think I talked to about five people. You were the fifth one.
Steve: Oh, good. Well, I'm sure she was thinking maybe this person will help me get the word out. And being an engineer, when she said this is a one-time password device which is a USB keyboard, my mouth just dropped open because it's brilliant. And that's what I loved about the concept is that it just does what it does beautifully. And we'll go into the technology because the design that underlies this is spectacular.
But what I'm so pleased with, and the reason I wanted to give this a whole Security Now!
episode is that what Stina and her colleagues have decided to do is to make the backend authentication services free. No subscription, no license, nothing. They want to just sell the YubiKeys. And unlike a huge company like VeriSign that has a massive infrastructure Security Now! Transcript of Episode #143 Page 12 of 30 that they need to support, and literally all the other companies that I saw on the RSA showroom floor, they were all into locking you in, signing you up, and they were big businesses that were looking for big corporate and offering big corporate solutions. Well, here is something, this YubiKey technology, that is - and I'm looking at the prices that Stina and her group have come up with. Quantity 1, price is $35. Quantity 10 is $25.