Securing Online Identities with Simple, Secure, Open Standards

awesome and we have steena Aaron Savard the CEO and founder of yubico speaking on securing online identities with simple secure open standards let's give a round of applause - steena thank you so much everyone this day is a great day for Internet Security this is from today's news with VentureBeat and the news headline says w3c approves web arson as the web standard for password is free logins we are very proud the team a typical to be a leading contributor behind making this mission happen it is a big day for Internet security because it is the single largest internet security problem that we're addressing oops that was wrong so we're all here to secure the Internet

but of the number one problem is a hacked online identity followed by on old unpatched software and only 10% of the remaining hacks are due to any other costs so an open standard but actually address this problem can do a big impact I founded a company twelve years ago to help make this happen at the time I had no idea that I twelve years later would be standing here and telling this story I just wanted to help if you have any questions this is the way you can submit them they will leave the presentation will be about twenty five minutes and there will be 10 minutes - for questions and I have some technical expertise with

me here so that you can go super deep if you need so I continue to go on the wrong side here so I'm just gonna tell everyone my story I have a background in industrial product design I'm not an Internet security expert but I have a passion for the Internet the first time I log into the Internet I was struck with something that would probably best be described as a spiritual experience here's this place where we're all connected for we all of us can tap into the information and share but he's clear that the internet was not designed for security it was designed for sharing and I learned that hands-on the first time I registered for

an online bank the bank said I would be secure with a username and password and a software that I downloaded on my computer but I happen to know a former white hat hacker who said it would take him one day to write the code that would empty my bank account so to inform the bank about this security risk I called up this customer service and I got a very clear response on the other side of the line can you please tell your friend to not do that so what I didn't tell the bank was that the former wide-eyed hacker was also my husband and the father of my three children we started dating when I went to industrial product

design school he had just left college he dropped out of college because he he was a hacker and had too much work to do I assume all of you already know that he built a working prototype of one of my designs other young man had given me dinners and flowers and I knew this was my man we started collaborating we started companies and we wanted to address this problem so I asked Jacob what could he not have if he could act this software and this user name/password what could he not hire and he responded he could not hack a smartcard and I said why isn't everyone we're using a smart card what's the problem why isn't my bank

using it and is it will because they're so difficult to use there they require drivers and client software in a CEO model and they were not designed for the web and they were not designed for mobile so I called up the bank again and said is that true is that true you won't you don't have good security because it's too difficult and they confirmed he was right and they also confirmed that the single biggest problem they saw was actually driver and the clients software because all their users were sitting on different computers and phones and and there was not one unified platform so the support cost was massive when they tried to deploy these smart cards and then I

asked Jacob hmm the driver a client software why why do we need that what I plug in my phone my keyboard into my computer I don't I don't need a driver and with that simple question Jacob responded well let's invent a smart card like thing that identify itself as a keyboard so we don't need any drivers and so we did so we call this invention the Yubikey and it had a bold mission it would be the next generation smart card that will enable you to have one single key to any number of services and it identifies system keyboards which super simply just touch it and it generates a long complicated encrypted passcode through the keyboard interface you don't need

any drivers but no one really cared not even the bank when I prove it back to the bank a third time they said oh that sounds like an interesting invention can you come back we would be happy to try that out when you tried it somewhere else with at least fifty thousand users

so this one this steer you may know where it is it's actually just around the corner it is that the artists a conference is an escalator and this is back in 2008 11 years ago I had started my company with this bold mission but no one really cared until there was a internet seeking other internet security company who said that they were not licensed my technology I arrived at the RSA Conference with the hope that we together would / sentences join partners I would have a press release a nice booth and the day before I arrived at the conference they actually changed their mind and there I was the biggest internet security conference on the planet no customers no

money a little bag with 50 prototype newbie keys and a business card and it looked really bad what I've learned as an entrepreneur is that when things really really bad that's often when the biggest blessings could arrive and so it did very clear thought came to me okay I don't have anything but I have a key and there are journalists there and I think they may be interested in writing about this invention so I walked up an escalator and the top of an escalator I jumped into a security podcaster his name is Steve Gibson and two weeks later he went out with a podcast saying I was at the RSA Conference it was a really

bizarre thing at the top of an escalator I met a woman and she had this key it's a super cool key it was the coolest new product at the show so there we had the launch of the Yubikey and I'm gonna share a couple of stories we started sending out these UB keys with free open-source servers across the globe Steve Gibson's customer readers listeners were our first customers and I'm just gonna share a quick story about the sysadmin from a university who sent an email heading my dog just ate of juba key please advise that was the most fun email ever got but I did respond if he's not a very small dog you're probably

gonna be okay and no you bikies no animals were harmed the other email that had the biggest impact for this company and for this new global standard eventually we'll tell you about was from google it was a security architect an engineer at Google had started buying a few keys had implemented them and he wrote an email like awesome something what is the quote for sending this out to all our employees that's when I wrote my first business plan we were 10 people at the time we had no big sales force we had no money we hadn't really basically no investors no one actually really cared but Google cared so I'm gonna move to Silicon Valley from Stockholm a bring

hospit my husband Jacob my three kids and we're going to work with Google and Facebook and all the internet companies to figure out how our technology can solve their problems and eventually not only their their employees problems but their end users problems we're gonna develop the next-generation Yubikey together with these people we don't have to be everywhere we just have to be in Silicon Valley and then eventually we have to be in Seattle to figure out what this whatever this is and I continue to write go the wrong way so that is Silicon Valley that is silicon valley and a year later we launched u2f together with Google no II actually didn't launch we signed a partnership a

year later with Google to develop u2f Universal second factor that's based on the Yuba Convention with a new protocol that we co-created with Google that allows you to have one single security key like a Yubikey to any number of services without any shared secrets so this is turning the whole model of identity upside down in traditional single sign-on you have a single sign-on service that where you can go to to access everything like your Facebook Connect your your D suite with this you actually have a key that you can sign up to any service including a single assignor service a password manager your government your bank but there is no secrets shared about between these

services so after we launched with Google we are like this just before we launched with Google we actually contributed this idea to a standard organization named Fito Alliance and then we got a lot of a lot of other services making support for it we provided free open-source servers free technical support and guidance for anyone who may want to make support for it and there were and we also enabled our competitors any other company who wanted to build these products there was reference code available the one that I'm really excited about today - I'm most excited about this was actually github when they made support for Yubikey their vote their community voted u2f support to be the number one most

wanted feature in mozilla so now we had another browser that was in the process of making see portrait because this secret that Jacob and the security engineers at Google had figured out is that we didn't need any drivers of client software we can go with use public key crypto if you make support directly into the browser but we needed five companies on the planet to make that happen we started with chrome now Mozilla was on I was also I liked the way Facebook made support for you for this technology because they said hey at the end of the day has to be simple so we don't people don't want to bring up their keys every day their login they're

just gonna register the key they're going to authenticate once and that's it that bless their key with their computer so you don't need to bring out turkey every time it's sort of like the root of trust if first you you you register it and then the computer and the key and the service knows that he's all connected I continue to go to my way so a couple of years later Google put out a study where they had tested this technology for two years and it was the best authentication investment in history they had not had one single account takeover through fishing they had been able to reduce support with 92% of a single simple fact

instead of having one key that you log into one phone one token they gave everyone three keys because whatever you have you're gonna loose or break or reset what you have and if buddy have three you got a backup and they save more than 17 million dollars with that also it never broke when this news report came out Microsoft became clearly interested Microsoft joined the fight Alliance and they said we like this concept of a key that can work protect fishing at scale with any number of services but we don't want to combine it with a username password we want to combine it with something whatever so we can scale it to more use cases it could

be a single factor it could be to factor it could be password less it could be a biometrics and this u2f then eventually became Fido - that was the password less promise so this is one slide comprising what is web often there was launched today it is u2f and phyto - comprised in one standard and it is designed for the web if we start with the first invention is used through public key crypto public key crypto has been used for decades I mean it was smart cards was launched 40 years ago and it's super good to protect against phishing and man in the middle but with all the drivers and clients offering the complex it has been

in the past this was not possible to scale so at least we go with something we knew go is good and why is public key crypto so much better public key crypto is a tighter integration between the service and the user it doesn't send like a one-time thing that could potentially be hacked it doesn't also require one single database that can be hacked this is proven to be good but historically was complex we also added a new feature where you have to touch it no actually the new feature was a region boundaries where you if you signed this up for a site the site is the key saves the URL to that specific side so you

cannot be tricked to go to a fourth website which is the number one biggest problem today with account takeover these phishing scam emails and then we had the use of presence the use of presence requires you to actually touch it you cannot be a remote hacker or trying or a try on sitting somewhere else you have to be a physical person by your computer and then the invention that Jacob came up with one key any number of services no shared secrets is designed for privacy and for scale there's not one single big brother' mega company who sits on your identity on your personal data it's a distributed system so we started with a username password with a key together with

Microsoft and the phyto Alliance and the w3c a community we have added more options so a key could be a smartcard or a ring or a chip that you build into your computer it doesn't have it it has to be some some kind of hardware but it doesn't have to be an external key it could be a built-in key and then you combine that with some other factor it could be a password a pin a touch a voice the range of whatever you believe is easiest for you and have the the best user experience if for that use case and then the third most important thing this is today on track to be supported in all leading

platforms and browsers including Apple and that's why it had to move or expand from phyto into w3c because that's where all the big browsers are are developing the standards that they agree on so here are three sample use cases where you can use web often today to log in from your MacBook with the touch to log in with the finger on your Android phone or a Yubikey on the back of a phone there are a lot of others and there will be hundreds of more products and services eventually everyone on the planet and every service on the planet will in some way touch this standard a lot of people come to me and say hey why do we need a

hardware authenticate what did you do all this work 11 years developing a standard eventually will be built into all computers and phone and your products may not be needed and I said yes that is perfect our products will will live together with the built-in computers because some there be legacy computers there will be situation where you actually may not be able to to move your your login from one computer to a phone and there will be situation when you want that root of trust to not be tied to your computer or phone or you may need a backup because you lost your phone and how would you then be able to login we are here to help this standard to grow

to as many people and services as possible so we are very excited that this is now being built into computers and phone and this picture just shows that this is not new someone said the other day to me why another thing why hardware isn't hardware that I can assure you there is no other identification technology that is as widely spread as hardware you see it in the chip the chip you have in your computers the chip you have it in your in your passports the SIM cards you have in your phones in your driver licenses this is and why do we have this ship why do we have a SIM card because there is no other more simple and secure way to

distribute and also revoke credentials so this is the same model it's the same thing that vital to fighter u2f and web often is based on is based on a hardware chip but what we have developed together with this web often Fido community is the next generation the next generation smart card that can scale beyond these use cases and I'm just gonna end with a perspective of what happens 60 years ago 60 years ago there was no seat belts in cars and people died like flies on the highway no one had designed the car for security and there was a guy he was an inventor at Volvo who invented the three-point seatbelt and invented it with the by addressing three question if

security is gonna scale to a lot of users it has to be simple it has to work with one hand and it has to be an open standard so he went up to the Google no to the vulnerable board and this invention should not only be for Volvo it should be for the homeworld let's give it away they've had every car on the planet have a seatbelt and so news Pauline who was the inventor after that he saved helped to save millions of life and this is the same situation we have with Internet the internet was not designed for security but if you would come together and drive standards they're easy to use they're works with

one hand that works within a second and are taken into an open standard and then we educate the world on this standard and then we continue to develop the standard and we mean and we make it an open standard so everyone can compete and come up with even better things and eventually we will have the government requiring us who uses do you have a little beep when we don't use it like we have in their seatbelts but that's that's where the Internet Security is going web arson address the single biggest problem we have on the Internet today hacked credential it's not the only problem but it's a really good start and if you want to help to make this

movement happen if you want to compete with us if you want to build products drive adoption here are resources we have there a w3c you can read about the spec we have free open-source service available on github technical support we have a free technical support for those who sign up for a developers program and I can share a cool story there's a another entrepreneur I knew who sold his company and he was very lucky he got a big check for that company and he was using pubic he's with you 12 and he was upset that his bank did not have the same good security as he's used here's his Facebook and his Google so he called

up the CEO of that bank and said if you don't make support for you to have fight or to web often I'm gonna move all my money there was a lot of money that the bank didn't wanna lose and now that Bank is making support so you will see that later this year you can do the same whatever whatever method you have this is just a big thanks from some of the people who who have helped make this happen is my team we 170 people we were 10 people were landed here in Silicon Valley seven years ago we work with a global internet security internet standards community we are very honored and blessed to be part of this to make a

small but important detail in the scope of internet security so thank you I have now ten minutes for questions any questions no questions one question

we actually developed the first reference design for blue okay so someone asked about Bluetooth half a year ago Google announced their own version of a security key which also included bluetooth so you can use it with an iPhone and we a year earlier we actually had developed a similar prototype we contributed those specs to the Fido alliance but due to security usability and durability aspects we did not feel that that was the best product to put out on the market we instead we initiated to work on the Lightning key I'm not saying that the Bluetooth is completely bad but it did not meet the security usability and quality aspects of what our company want to put out

there so unfortunately was it was the solution that was easiest at a time but given that our Apple had not at the time open up for this but now they are engaged in this standard so in the future lightning will work Bluetooth will work USBC may work we don't know where we're I mean Matt will have made support for us PC with with their iPads and hopefully which is my preference is NFC and if they it's such a simple and clean solution is already used for payments and access control over the planet so just tap a key against the phone is sort of the most natural user experience so I hope one day that Apple

open up support for it for external keys too that's that's is that the answer to your question yes

I mean there's a lot of cool gadgets coming out now that you know there's a ring there is Ares his bracelets I mean you become right now we're focused on keys that you hold in your hand and put on your keychain and plug in your computers but there's a lot of other companies who are are experimenting with form factors and we may even go there somewhere in the time you know I am convinced as this standard moves forward you will see it in watches in other kind of gadgets and things that do you carry other computing devices or on computing devices that you carry on yourself thank you yes so we put out there first you

begin 2008 and we have still users who use it that's 11 12 years old you know we as I told you the story about the dog so it does survive a lot of hard environments so in general you bikies does not expire the only challenge with our case is that we put new features on them all the time so a key that you bought in 2008 does not work with this new standard this news you know the Fido you 12 fight or two w3c standards so that's the only downside that their keys we put out in the past will not work but any u2f key will work with Fido - with web offense standard was that the answer

to your question it works forever we want it that way because in other ways it's just support herself we don't want people to not be able to login so we we made it in a super robust plastic there is no moving parts it can be run over a car it can go through the washing machine we decided to make it strong yes or a dog yes for a dog yeah okay any other questions yes yes it did they he's this admin at the University said he he washed it and it worked perfectly fine yes that's the super technical question that Jared can you take that one yeah hello I'm snooze tech-support it's you know we put it to

the SSH we've talked to them I think it's it's in discussion on how we want to evolve it if you've got ideas on how to try to move keys and in part of it it's just you know starting a bunch of public keys and it's not really set up to that exactly the same way I can use you understand sort of the same model as try and do the standard service authentication so I think it's just some infrastructure things we wrote some sample frameworks but I think we need more community support to get that true because it's not sounding like we want it most people still keep it the cert base off nonsense questions so on that

question there's a lot of cool things coming out of this there you know a version of this is being discussed for servers all the leading credit card companies have joined and we're there's discussion around the next-generation payments built on payment in the browser with this protocol is being used as the next generation pin and chip there is also discussion about IOT the same protocol could be used for IOT for cars for whatever so yes they're all good questions about how can this technology continue to evolve how can we make it better where can it go so we can continue to protect even more people and use cases yes Oh into humans do we look forward to

embedded chips into humans I don't know that's painful I think this is there will be choices I think there are some people who may actually want to have it embedded they never will lose it and they're fine just like some military services have they didn't plant chips into arms and I think there should be choices I hope that we don't live in a world where that's forced into all of us when we are born you know that would be scary any other final question I don't know how much time do I have left five minutes so if we could take more questions or we can move forward to the next thing no more questions fantastic it was a true pleasure to be

here today thank you [Applause]