Sponsored: The phishing-resistant employee - Risky Bulletin

Summary5 min read

Risky Bulletin Podcast Summary: "Sponsored: The Phishing-Resistant Employee"

Release Date: August 10, 2025

In this episode of Risky Bulletin, host Tom Uren engages in a deep-dive conversation with Derek Hansom, the Field CTO of Yubico, to explore the evolving landscape of cybersecurity, particularly focusing on creating phishing-resistant employees. The discussion navigates through the challenges of modern authentication methods, the vulnerabilities within traditional help desk operations, and the emerging role of artificial intelligence in both defending and attacking digital infrastructures.

1. Introduction to Yubico and Its Evolution

Tom Uren introduces Derek Hansom and delves into the genesis of Yubico, a company renowned for its Yubikeys—security keys designed to enhance digital security by acting as a physical authentication factor.

[00:16] Tom: "When I first learned about them, I thought, oh, this is wonderful. This is a perfect solution for so many problems that we've got."

Derek acknowledges the robustness of Yubikeys but emphasizes that the cybersecurity landscape has grown more intricate since their inception.

[00:49] Derek: "The Yubikey itself is a really good piece of technology that you could use to really deadbolt the front door... everything that we used to take for granted in a password world is now becoming points of exploit and attack."

2. The Help Desk as a Security Vulnerability

A significant portion of the conversation addresses the vulnerabilities inherent in traditional help desk operations, highlighted by the recent lawsuit between Clorox and its outsourced help desk provider over fraudulent password and MFA resets.

[02:09] Tom: "Clorox launched a lawsuit against its outsourced help desk provider... because nobody wants to call the help desk."

Derek points out that account recovery remains a critical challenge. He criticizes the lack of secure verification tools for help desks, which often assume legitimacy without robust verification.

[02:09] Derek: "We've actually haven't provided the tools for the help desk to verify somebody that's called them up... it's a problem of verifying who you're talking to."

He further shares a personal anecdote illustrating how compromised communication channels can lead to fraud, underscoring the necessity for secure and reliable user verification processes.

[05:14] Derek: "It was fraud... the person's account had been completely taken over... there was no ability for them to actually verify who they're talking to, reissue a strong credential in a trustworthy manner."

3. The Impact of AI on Cybersecurity

The discussion shifts to the role of artificial intelligence, particularly large language models like ChatGPT, in cybersecurity.

[07:18] Derek: "And there was no tools for them to get back to somebody to really help onboard... those recovery mechanisms are what's being attacked."
[08:30] Tom: "One of the stories... was the machine got to the 'are you a human?' prompt and just like, yep, I am a human."

Derek expresses concern that attackers currently outpace defenders in leveraging AI for malicious activities. He argues that while new security technologies are being developed, attackers can scale their efforts more rapidly, exploiting vulnerabilities before defenses can adapt.

[08:30] Derek: "I think the attackers are ahead... it's a scale problem."

He emphasizes the need for comprehensive security measures, such as zero trust architectures and robust user lifecycle management, to counteract sophisticated AI-driven attacks.

[09:30] Derek: "We need to finish rolling out the zero trust architecture... we're onboarding users in a phishing resistant manner."

4. Advancements in Passkey Technology

A pivotal segment of the episode explores the concept of syncable passkeys—credentials that can be synchronized across multiple devices—and their implications for both security and user convenience.

[10:52] Tom: "I had thought that pass keys were going to be tied to a device... syncable passkeys seems like that also presents problems."

Derek clarifies that while syncable passkeys introduce new challenges, they are essential tools in a holistic security strategy. He outlines the security risks associated with copying private keys across devices and the necessity of pairing passkeys with strong identity signals, such as Yubikeys, to ensure authenticity.

[11:33] Derek: "Syncable passkeys... introduced a whole slew of new identity events that we now need to be looking at and analyzing."

He discusses the integration of FIDO’s pseudo-random function (PRF) into passkey synchronization, enhancing security by ensuring that only trusted devices can decrypt and access passkeys.

[13:00] Derek: "We're getting to a world where the devices that you carry as authenticators and the devices you carry for compute devices pair together to give a good signal that you are the person signing in."

This synergy aims to balance security with usability, ensuring that users can access their credentials seamlessly without compromising on protection.

5. Future Directions and Best Practices

In concluding the discussion, Derek underscores the importance of robust account recovery mechanisms and the limitations of traditional methods. He advocates for more secure and verification-intensive processes for help desks, moving away from easily exploitable avenues like phone numbers or employment history.

[15:37] Derek: "If organizations that roll out passkeys will do very minimal work at their help desk to actually support account recovery... it's too easy to compromise that avenue for enrolling a credential."

He envisions a future where account recovery processes are tightly integrated with strong authentication signals, minimizing the risk of unauthorized access and enhancing overall security posture.

Key Takeaways

Enhanced Authentication: Physical security keys like Yubikeys provide robust security but must evolve to address new challenges in the digital landscape.
Help Desk Vulnerabilities: Traditional help desk operations are significant security weak points that require advanced verification tools to prevent unauthorized access.
AI in Cybersecurity: While AI offers powerful tools for defenders, attackers are currently leveraging AI at a faster pace, necessitating rapid advancements in security measures.
Syncable Passkeys: Synchronizing passkeys across devices introduces both convenience and security challenges, which can be mitigated by combining them with strong identity verification methods.
Zero Trust and User Lifecycle Management: Implementing zero trust architectures and comprehensive user lifecycle management are crucial for minimizing account takeover risks and enhancing overall security.

Conclusion

The episode "Sponsored: The Phishing-Resistant Employee" offers a comprehensive exploration of the current and evolving challenges in cybersecurity, particularly focusing on authentication mechanisms and the critical role of secure account recovery processes. Derek Hansom of Yubico provides valuable insights into how organizations can bolster their defenses against sophisticated phishing attacks and account takeovers by embracing advanced technologies and rethinking traditional security paradigms.

Loading summary

Transcript20 lines

[00:00]
A
Foreign. This is Tom Uren. I'm here with another Risky Business News sponsor interview. Today I have with me Derek Hansom of Yubico. G', day, Derek.
[00:14]
B
How are you? I'm doing good, Tom. How are you doing?
[00:16]
A
I'm well. So Derek is the field CTO of Yubico and Yubico. When I first learned about them, you made those security keys that you would plug into your computer. And when I first learned about them, I thought, oh, this is wonderful. This is a perfect solution for so many problems that we've got. And now in 2025, it seems like the world has gotten more complex. The Yubico is still a very good solution, but there's many, many more problems that I kind of didn't realize existed back then.
[00:49]
B
Absolutely. The Yubikey itself is a really good piece of technology that you could use to really deadbolt the front door. And we've always worked on how do we make sure it's easy to get into people's hands, how's it easy to use making sure that the underlying technology is secure and reliable. But I think you're hitting on as soon as you start to lock the front door, people are going to go around and check the windows and check the back doors. And we're starting to see more and more how you get that Yubikey to somebody, how you enroll that Yubikey. And the credential on that device matters because everything that we used to take for granted in a password world because the password was so weak, is now becoming points of exploit and attack.
[01:38]
A
Yeah. So one of the pieces of news over the last week or so is Clorox launched a lawsuit against its outsourced help desk provider. And the allegation is that the criminals would just ring up help desk and say, I've forgotten my password. And the help desk would just say, okay, yeah, here's a new password. And they also said that they would reset mfa. So how are you thinking about what to do in those cases?
[02:10]
B
Account recovery has always been the biggest challenge. And so at Yubica, we've been working very hard on trying to make sure that we make that registration flow as simple and as quick as possible. Because, like, the issue I have overall with the help desk being blamed is that we actually haven't provided the tools for the help desk to verify somebody that's called them up and, you know, understand that I am talking to the right person and then giving them tools to help them re enroll securely. We've really ignored the help desk as a function from an IT and security perspective for a very long time. Because the issue was they were walking through the front door. I mean, everybody had coined the phrase, like, hackers don't hack in, they just log in. Because the password and a lot of the phishable credentials were just too easy to steal. Well, as the phishing resistant MFA gets rolled out, these other parts of the business, which we've largely ignored, both the cost of operating them as well as, like, the implication to security, are now becoming part of the spotlight. Clorox is just the recent example, but there's plenty of other people where the help desk has been exploited. And it's ultimately a problem of verifying who you're talking to and making sure that these channels that you've established are good. Actually ran into something this last weekend in my personal life that actually, you know, challenged this channel's conversation, which was, you know, we were sitting here at home. You know, kids are going to have all their activities. And so my wife and I had a few minutes to sit down and just kind of relax before they all woke up and we all went crazy. And she sent me a post from a friend, the somebody that we know runs a small business, like we engage with on a very regular basis. And it was a post saying, hey, my uncle is going into hospice care. He needs to sell some of this farm equipment. And it happened to be stuff that we were in the used market for. So it perfectly lined up with these things that we were kind of excited about. And it was a known channel that we have communicated with this person over in the past. And we start going through this process, and all of a sudden I'm getting a weird request for an Apple pay payment. That is what set off the alarm bells, that maybe this channel that I've already established with somebody that I was already trusting has been compromised. Well, you know, it turned out it was fraud. It turned out that the person's account had been completely taken over. And it also turned out that this was a teaching moment for my kids because it was my daughter's horse riding instructor. And so she was very vested, like, what had happened to her, how, what's gone on? And so, you know, she read the messages and I had said something along the lines of, you know, are you being held against your will to the people? Because I was morbidly curious if this was part of the human trafficking issues and pig butchering stuff that we're seeing going on, you know.
[05:14]
A
Yeah.
[05:15]
B
And so it was immediately blocked, as you would expect. Never got an answer but those were the conversations on our house last weekend. And that's an uncomfortable place. But the reality is it all comes back to the same problem that Clorox was facing or the help desk for Clorox is facing, where it's, I'm talking to somebody, they're assuming it's a semi trusted channel that they're talking to somebody who called them for help, because nobody wants to call the help desk. So they're assuming that this is legit and we have no tools in place for them to actually verify who they're talking to, reissue a strong credential in a trustworthy manner. And that's what we're working on right now. And that's what has to become a bigger part of everyone's story is securing the entire lifecycle for those users.
[06:07]
A
Yeah. So I guess in that particular story, because you knew them personally, you had another way of communicating with them. Is that how you got out of that situation?
[06:17]
B
Yeah. I mean, all of a sudden, you know, somebody's asking you for money, you get a weird Apple Pay thing. I'm like, you know, asked my wife, I was like, hey, can you just text her and confirm that this is, you know, this is legit? You know, you just, you're in this enough that all of a sudden you start seeing red flags, your hair stands up and you're like, I don't know, you know. But it was that perfect confluence of things. We were looking for somebody we thought was trusted. And thankfully we did go out and text because we found out her account, like had been completely taken over. All the recovery mechanisms had been set to different accounts and different email or phone number. So there was no ability for them to go back through and prove that they really should own the account. And, you know, consumer identity at scale, like, you know, a social media platform, which is what we were communicating over, is incredibly difficult. And so I don't want to dismiss or minimize what they were doing, but there was no tools for us, as somebody who was aware that that account had been compromised, to report it.
[07:17]
A
Right.
[07:18]
B
And there was no tools for them to get back to somebody to really help onboard. So all the recovery mechanisms is what's being attacked. And I think the conversations around the advancements in AI are actually going to exploit more and more of these channels because really we have some fairly weak signals for. Is it the human, Is it the right human that we were talking to in place? Yeah.
[07:46]
A
One of the stories I saw in the last week was that someone was automating. I think it was chatgpt but some LLM to do something online. And the news was the machine got to the are you a human? Prompt and was just like, yep, I am a human. And ironically it just worked. So whatever signals the service provider was getting wasn't good enough. So I guess that's a perfect example of what you're saying. Like people talk about AI being useful for information security as well as for attackers, but are you seeing that play out so far? Is it like a race that is level or is the attacker somehow a bit ahead right now?
[08:31]
B
I think the attackers are going to be a little bit ahead right now because you know, when we talk in this industry a lot of times about the latest tool, the latest technology, but the reality is we can have a new technology, but it's an acquisition of a product, it's a rollout effort of that product. It's a huge endeavor to take a new technology and tool and roll it out into an enterprise. And ultimately the attack side is always going to scale first because they don't have the infrastructure to set up and manage and protect. And so I do think the attackers are ahead and it's not just because of the logistics problem, but I also think it's because of a scale problem. Because really to build a good playbook for attacking an organization, it's a data management thing. Where are all the endpoints, what are the services running there? And can I stitch together a chain of attack that gets me into what I ultimately want, which is an account takeover so I can do something else? You know that account takeover is kind of like when they've got their beachhead established. And I think ultimately we've seen over the last five, ten years it go up and down the percentages of what percentage of breaches are tied to account takeover or identity credential compromise. But the reality is it's just continuing to be that problem because we've haven't gotten the basics done right. And that basics is we need to finish rolling out the zero trust architecture where we don't trust everything by default and we need to finish getting user life cycle ironed out all the way through so that it's not just phishing resistant auth that we're doing, we're onboarding users in a phishing resistant manner, we're recovering them in a phishing resistant manner. And the things that they're doing are not using weak technology that we know to be fishable in their day to day jobs. And so that is kind of the brilliant basics that we need to be Doing well so that we can then take advantage of what AI is going to enable a defender to do, which is analyze all of these risk signals and really help spot something that's anomalous.
[10:53]
A
So, Derek, last time, I think it was last time we spoke, one of the sort of light bulb moments for me was this idea of syncable passkeys. So prior to our discussion, I had thought that pass keys were going to be tied to a device. And that was both a great idea, but also, I can see inconvenient for consumers. Well, it's inconvenient for me because I get a passkey for, I don't know, ebay or something, and then I log in on my iPad or my phone and then, oh, where's my passkey gone? I don't have it. And so I can understand why there's syncable passkeys, but it seems like that also presents problems, right?
[11:34]
B
It absolutely does. And I think it's not that syncable passkeys, when I say introduces problems like there's something inherently wrong with it. It's another tool in the toolbox. And so if we are talking about holistically protecting people, that syncable passkeys are one of those tools that need to be available. But what syncable passkeys did is introduce a whole slew of new identity events that we now need to be looking at and analyzing. Because what a syncable passkey really is is a private key or a file that is being copied from device to device every time that you sign into a browser. And if it's the default password manager on that browser or you have a third party password manager, every time you sign into that new browser or that new password manager on a device, that's now a new event signal that needs to be looked at. Because, you know, most of the time we're thinking about it through the positive side of, oh, my passkey is now available on my phone. But the reality is, who just signed in? Was it really Tom signing in on his phone or was it somebody else signing in to get a copy? And so what we need to be looking at is how do syncable passkeys and the files that get copied around, how are they paired with strong identity signals on things like yubikeys? So that maybe the first time that I register myself on this phone for my passkey provider, I'm using my yubikey, but every time after that I'm using a local credential on that device to unlock that vault. There's solutions that are starting to come together and you're going to see more and more with that. Out of one of the capabilities in FIDO called prf, which is a pseudo random function, it's a thing that can be used where data on the web can be decrypted by that FIDO credential. It's underpinning technology behind some of the passkey sync mechanisms that some of the people are using. But what we're getting to is a world where the devices that you carry as authenticators and the devices you carry for compute devices pair together to give a good signal that you are the person signing in that should be granted access to that data on this device. And we can now use the combination to enroll very good user experiences. Where I've got a credential on that device, it always unlocks my stuff. I think when we pair these things together is when we're going to get to that world that you've got security on that new device, but you also have that accessibility and that usability because nobody wants to sit there and go, I forgot my key, I got to go across there and go get it. We want that device that we've already established trust in to just work.
[14:20]
A
Right? Right. So I guess in the case of some of the help desk examples where help desks have given out passwords or reset mfa, it might be that you've got a number of signals associated with a device and if they're all good, like that's in a way not a green light, but it's a signal that it's more trusting. Whereas if you've got something that's just totally green fields with no prior history, perhaps we need extra verification, what have you.
[14:51]
B
Yeah, I actually believe if organizations that roll out passkeys will do very minimal work at their help desk to actually support account recovery, they will probably only be doing things like I'm sending you something to a previously established address or I'm, you know, or I'm sending you to an in person location to register or you're going to have to work with a colleague that actually knows who you are that can connect with you to then get that signal that we need to help you enroll. The signals of I just need the phone number to call up and I had a few bits of information about my employment history are not going to be good enough because it's too easy to compromise that avenue for enrolling a credential.
[15:37]
A
Right. Derek Hanson, Field CTO of Yubico. Thanks very much.
[15:42]
B
Thank you, Tom.