Cyber security is a a growing concern for the world's biggest tech companies - but Stina Ehrensvärd's Yubikey device provides a hardware-based answer that is now used religiously by the likes of Google and Facebook, while it is partnering with Microsoft to create a passwordless Windows
When Swedish-born Stina Ehrensvärd’s husband, a former white hat cyber hacker, told her he could break into her online bank account back in 2008, she was understandably concerned.
When she told her bank this – not mentioning it was her husband Jakob who informed her of the fragile online security of the day – and it said the solution was to ask him not to, she was inspired.
“That’s when Jakob and I decided we had a mission – to build a security key that you cannot hack,” says Stina, who set up her company Yubico the same year and now employs 150 people.
“You can log-in to Gov.uk and pay your taxes with a YubiKey, and then you can log-in to Facebook using the same key, and there’s no information shared between these services.
“It’s completely safe.”
The YubiKey is a mini-USB key that is plugged into a computer and generates encrypted pass codes.
Because the log-in code is only provided when the key is physically inserted, it verifies the user is human and not a remote hacker.
Starting at £18 each, the device can fit easily on a keyring, with some versions able to complete authentication by tapping against a phone and others doubling up as earrings.
Individuals use them to lock down their own Facebook, Google and Dropbox accounts, while businesses can safeguard entire fleets of laptops.
YubiKey is used by all of Google’s employees and BMW’s engineers to help keep their email and online accounts safe from hackers.
Facebook is another client, while it has a partnership with Microsoft to create a passwordless log-in for Windows.
While Yubico’s headquarters is in Stockholm, it rubs shoulders with those tech giants in a second base within the Silicon Valley – where Stina is one of the very few female company founders and CEOs.
A story set in cyberspace
The mother-of-three’s inspiration for the YubiKey began with a fascination for all things online.
Stina, 50, says: “I was inspired to start the company because I care a lot about the internet. I think it’s one of the most brilliant inventions of all time.
“And the first time I logged on to the internet I actually had a spiritual experience – I had goose bumps.
“I realised – here is the place where we’re all connected, we all share information, and we all can prosper.
“But then I also learned it wasn’t secure when my husband told me he could hack into my online bank account in 24 hours – and I knew this whole human experience could fail.”
She quickly realised the potential of the internet, but recognised security – or the lack of it – was standing in the way of its continued progress.
At the time, the 2008 cyber-attack on the US military’s computer systems was the worst of its kind in history and the decade since then has seen numerous other major breaches hit the headlines, from three billion Yahoo email addresses being affected in 2013 to more than a third of England’s NHS trusts being hit by ransomware in May 2017.
“Countries are not firing cannons at each other; they’re sending cyber hackers at each other, that’s the reality,” Stina explains.
“Probably 80% of the troubles you read about regarding the internet in the press today is about a password being decrypted, or an SMS being hacked, or some kind of sensitive information being leaked.
“We knew that anyone with a phone or a computer could eventually be hacked as long as at some point they downloaded software, which everyone does.
“The only thing you could not hack is hardware security – so we came up with YubiKey.”
Despite creating a solution to the problem of online hacking, Stina’s YubiKey was not yet ready to underpin a business model.
“The problem was you had to have a separate key for every service, and that’s not feasible or scalable,” she says. “People will end up with too many keys.”
“We struggled with investors because everyone said the future isn’t in hardware – it’s in the smartphones, biometrics and apps etc.
“So to move things forward, we moved to Silicon Valley.”
Stina says no one had really cared about her tech until she met a security podcaster and showed him the YubiKey.
“He said it was the coolest authentication hardware he’d ever seen – and he had 100,000 geeky listeners who became our first customers,” she recalls.
“One of them worked for Google, and he started implementing YubiKey for one of its servers.
“He came to us and asked what the port cost would be for implementing 20,000 keys – the entirety of its staff at the time.
“And when Google implemented YubiKey for its staff, not a single one of them was hacked.”
Once Google published a report detailing the infallible security of Stina’s tool, the Swede had the best advocate anyone in the tech world could ask for.
“All the other Silicon Valley cloud companies became our customers,” Stina says.
“Now, 19 of the top 20 internet companies on the planet are using my product. Some of them are even making support for the end users.”
“A passwordless future”
Even with all the success, Stina is keen to keep moving things forward to a future without the need for passwords.
The technology is there, she believes, but there are daunting challenges on the road ahead.
“We want to move to a passwordless world. So a user can log into any computer or phone, and then they have a key or a card integrated somewhere that lets them be secure,” she explains.
“The challenges are getting everyone on board – all the leading platforms are now engaged – but the time frame is not as fast as I would hope.
“Google and Facebook have launched, Mozilla is launching soon, Microsoft has launched a beta and will launch fully later this autumn.”
Perhaps the biggest issue, though, is getting companies to realise just how big a problem cyber security is.
Human nature dictates that many only come to companies like Yubico once they have been breached, rather than being proactive against hacking.
For Stina, she uses the metaphor of the car seat belt when trying to explain its worth.
“In the 1950s, there were no seat belts in cars and a lot of people died on the highways.
“There were ten times fewer cars but more fatal accidents than today.
“At first, automakers denied the problem because they were afraid people wouldn’t buy their cars if they knew they could die in them – but that was the reality.
“Eventually it became so obvious – so companies started working on security measures, including Volvo – who came up with the concept of the three-point seatbelt.
“The guy who made it did something that really inspires me – he went up to the Volvo board and said we should give this away to the world and every automaker so they can make people safe.
“Millions of people have been saved because of his invention.”
Clearly, the market has reacted with confidence in the technology as the company has grown aggressively.
It achieved a reported $25m (£18.8m) turnover in 2016 and this is said to have doubled in the past two years, with YubiKey now used by thousand of companies and millions of people in 160 countries.
In June last year, Yubico raised $30m (£22.6m) in a funding round – a major milestone for a company that until then had only raised $4.5m (£3.4m) from angel investors including the likes of Salesforce CEO Marc Benioff.
It comes at a time when the European Union’s General Data Protection Regulation (GDPR) has come into force, a legislation that could result in fines running into millions of pounds if companies don’t provide adequate protection against hackers.
Stina says: “GDPR really just recommends you have good security.
“It’s a good first step but it will be interesting to see how it actually play out.
“I think GDPR 2.0 will be requiring good security from the start.
“But in order to require good security it has to be standardised and scalable, built-in and effective – which is why the YubiKey could be so important.”
Sweden’s Bjorn Bjorg effect
The inexorable rise of Sweden’s tech scene, which includes the likes of Spotify, SoundCloud, uTorrent and Candy Crush video game studio King, has been dubbed the “Bjorn Borg effect”, owing to its seemingly overnight success.
In Stockholm, where Yubico has its head office, there are the second-highest number of billion-dollar tech companies per capita after Silicon Valley.
According to the Organisation for Economic Co-operation and Development (OECD), there are 20 start-ups – those with upto three years lifespan – per 1,000 employees in Sweden, compared to five in the US.
Stina has a theory about such an unlikely source of so much innovation.
“Growing up in Sweden, we are raised to think independently,” she says.
“Kids are not punished for questioning, which is really important for innovation because it starts with asking questions and not being afraid of doing so.
“Sweden is challenging – I noticed that my Swedish team is actually much tougher to work with than my American team because they know the importance of asking questions.
“It’s an interesting combination in Sweden that involves learning to collaborate and learning to be independent – both of which are key in our industry.
“I’m constantly asking my team questions – starting by not knowing and having an open mind is very important.”
What it’s like to be a female CEO in tech
Tech is one of the most male-dominated industries in the world today, while the Silicon Valley is almost universally ruled by men.
About 4.4% of venture capital deals went to female-founded companies last year but Stina looks to have bucked the trend with the recent $30m investment.
“I do this with my husband – we have fantastic guys in my company who made this happen – so it’s not a girl thing that made this happen it’s really a team thing,” she explains.
“So far my experience of being a woman in tech has mainly been positive. People listen to me because they find me interesting.
“I have been lucky to meet good people who help me – I know that’s not the experience of a lot of women and I don’t want to minimise their experience.
“But the people you meet who are full of themselves are arrogant to both women and men – it’s not just women who are affected.
“I have three kids and I got the question once, ‘how is it having three kids and working?’ And I said ‘you can ask my CFO, he has four children’.”
Stina is often asked why there aren’t more women in tech and she cites a potential lack of interest in the industry among her industry.
She adds: “There are a lot of great women entrepreneurs in other areas and people of both genders become successful in things they’re passionate about – but for some reason, I’ve found there are fewer women who are passionate about tech. I’m just not seeing them.
“Women go into other areas and are successful there – but in tech, and especially internet security, there are very few.
“Maybe it will change, maybe it’s a cultural thing, I’m not sure.
“If you go 50 years back, there were so few women in power positions generally, so things are changing quickly.
“I think the coolest thing is when men and women start collaborating together and they don’t care about gender – the most successful companies on this planet are very diverse.
“It’s proven that the most profitable companies have a strong female workforce – and the most successful countries on this planet have women out in the workforce who have a strong voice, too.”