Sponsored: The phishing-resistant employee - Risky Bulletin

Summary

Risky Bulletin Podcast Summary: "Sponsored: The Phishing-Resistant Employee"

Release Date: August 10, 2025

In this episode of Risky Bulletin, host Tom Uren engages in a deep-dive conversation with Derek Hansom, the Field CTO of Yubico, to explore the evolving landscape of cybersecurity, particularly focusing on creating phishing-resistant employees. The discussion navigates through the challenges of modern authentication methods, the vulnerabilities within traditional help desk operations, and the emerging role of artificial intelligence in both defending and attacking digital infrastructures.

1. Introduction to Yubico and Its Evolution

Tom Uren introduces Derek Hansom and delves into the genesis of Yubico, a company renowned for its Yubikeys—security keys designed to enhance digital security by acting as a physical authentication factor.

[00:16] Tom: "When I first learned about them, I thought, oh, this is wonderful. This is a perfect solution for so many problems that we've got."

Derek acknowledges the robustness of Yubikeys but emphasizes that the cybersecurity landscape has grown more intricate since their inception.

[00:49] Derek: "The Yubikey itself is a really good piece of technology that you could use to really deadbolt the front door... everything that we used to take for granted in a password world is now becoming points of exploit and attack."

2. The Help Desk as a Security Vulnerability

A significant portion of the conversation addresses the vulnerabilities inherent in traditional help desk operations, highlighted by the recent lawsuit between Clorox and its outsourced help desk provider over fraudulent password and MFA resets.

[02:09] Tom: "Clorox launched a lawsuit against its outsourced help desk provider... because nobody wants to call the help desk."

Derek points out that account recovery remains a critical challenge. He criticizes the lack of secure verification tools for help desks, which often assume legitimacy without robust verification.

[02:09] Derek: "We've actually haven't provided the tools for the help desk to verify somebody that's called them up... it's a problem of verifying who you're talking to."

He further shares a personal anecdote illustrating how compromised communication channels can lead to fraud, underscoring the necessity for secure and reliable user verification processes.

[05:14] Derek: "It was fraud... the person's account had been completely taken over... there was no ability for them to actually verify who they're talking to, reissue a strong credential in a trustworthy manner."

3. The Impact of AI on Cybersecurity

The discussion shifts to the role of artificial intelligence, particularly large language models like ChatGPT, in cybersecurity.

[07:18] Derek: "And there was no tools for them to get back to somebody to really help onboard... those recovery mechanisms are what's being attacked."
[08:30] Tom: "One of the stories... was the machine got to the 'are you a human?' prompt and just like, yep, I am a human."

Derek expresses concern that attackers currently outpace defenders in leveraging AI for malicious activities. He argues that while new security technologies are being developed, attackers can scale their efforts more rapidly, exploiting vulnerabilities before defenses can adapt.

[08:30] Derek: "I think the attackers are ahead... it's a scale problem."

He emphasizes the need for comprehensive security measures, such as zero trust architectures and robust user lifecycle management, to counteract sophisticated AI-driven attacks.

[09:30] Derek: "We need to finish rolling out the zero trust architecture... we're onboarding users in a phishing resistant manner."

4. Advancements in Passkey Technology

A pivotal segment of the episode explores the concept of syncable passkeys—credentials that can be synchronized across multiple devices—and their implications for both security and user convenience.

[10:52] Tom: "I had thought that pass keys were going to be tied to a device... syncable passkeys seems like that also presents problems."

Derek clarifies that while syncable passkeys introduce new challenges, they are essential tools in a holistic security strategy. He outlines the security risks associated with copying private keys across devices and the necessity of pairing passkeys with strong identity signals, such as Yubikeys, to ensure authenticity.

[11:33] Derek: "Syncable passkeys... introduced a whole slew of new identity events that we now need to be looking at and analyzing."

He discusses the integration of FIDO’s pseudo-random function (PRF) into passkey synchronization, enhancing security by ensuring that only trusted devices can decrypt and access passkeys.

[13:00] Derek: "We're getting to a world where the devices that you carry as authenticators and the devices you carry for compute devices pair together to give a good signal that you are the person signing in."

This synergy aims to balance security with usability, ensuring that users can access their credentials seamlessly without compromising on protection.

5. Future Directions and Best Practices

In concluding the discussion, Derek underscores the importance of robust account recovery mechanisms and the limitations of traditional methods. He advocates for more secure and verification-intensive processes for help desks, moving away from easily exploitable avenues like phone numbers or employment history.

[15:37] Derek: "If organizations that roll out passkeys will do very minimal work at their help desk to actually support account recovery... it's too easy to compromise that avenue for enrolling a credential."

He envisions a future where account recovery processes are tightly integrated with strong authentication signals, minimizing the risk of unauthorized access and enhancing overall security posture.

Key Takeaways

Enhanced Authentication: Physical security keys like Yubikeys provide robust security but must evolve to address new challenges in the digital landscape.
Help Desk Vulnerabilities: Traditional help desk operations are significant security weak points that require advanced verification tools to prevent unauthorized access.
AI in Cybersecurity: While AI offers powerful tools for defenders, attackers are currently leveraging AI at a faster pace, necessitating rapid advancements in security measures.
Syncable Passkeys: Synchronizing passkeys across devices introduces both convenience and security challenges, which can be mitigated by combining them with strong identity verification methods.
Zero Trust and User Lifecycle Management: Implementing zero trust architectures and comprehensive user lifecycle management are crucial for minimizing account takeover risks and enhancing overall security.

Conclusion

The episode "Sponsored: The Phishing-Resistant Employee" offers a comprehensive exploration of the current and evolving challenges in cybersecurity, particularly focusing on authentication mechanisms and the critical role of secure account recovery processes. Derek Hansom of Yubico provides valuable insights into how organizations can bolster their defenses against sophisticated phishing attacks and account takeovers by embracing advanced technologies and rethinking traditional security paradigms.

Transcript

A (0:00)

Foreign. This is Tom Uren. I'm here with another Risky Business News sponsor interview. Today I have with me Derek Hansom of Yubico. G', day, Derek.

B (0:14)

How are you? I'm doing good, Tom. How are you doing?

A (0:16)

I'm well. So Derek is the field CTO of Yubico and Yubico. When I first learned about them, you made those security keys that you would plug into your computer. And when I first learned about them, I thought, oh, this is wonderful. This is a perfect solution for so many problems that we've got. And now in 2025, it seems like the world has gotten more complex. The Yubico is still a very good solution, but there's many, many more problems that I kind of didn't realize existed back then.

B (0:49)

Absolutely. The Yubikey itself is a really good piece of technology that you could use to really deadbolt the front door. And we've always worked on how do we make sure it's easy to get into people's hands, how's it easy to use making sure that the underlying technology is secure and reliable. But I think you're hitting on as soon as you start to lock the front door, people are going to go around and check the windows and check the back doors. And we're starting to see more and more how you get that Yubikey to somebody, how you enroll that Yubikey. And the credential on that device matters because everything that we used to take for granted in a password world because the password was so weak, is now becoming points of exploit and attack.

A (1:37)

Yeah. So one of the pieces of news over the last week or so is Clorox launched a lawsuit against its outsourced help desk provider. And the allegation is that the criminals would just ring up help desk and say, I've forgotten my password. And the help desk would just say, okay, yeah, here's a new password. And they also said that they would reset mfa. So how are you thinking about what to do in those cases?

B (2:09)

Account recovery has always been the biggest challenge. And so at Yubica, we've been working very hard on trying to make sure that we make that registration flow as simple and as quick as possible. Because, like, the issue I have overall with the help desk being blamed is that we actually haven't provided the tools for the help desk to verify somebody that's called them up and, you know, understand that I am talking to the right person and then giving them tools to help them re enroll securely. We've really ignored the help desk as a function from an IT and security perspective for a very long time. Because the issue was they were walking through the front door. I mean, everybody had coined the phrase, like, hackers don't hack in, they just log in. Because the password and a lot of the phishable credentials were just too easy to steal. Well, as the phishing resistant MFA gets rolled out, these other parts of the business, which we've largely ignored, both the cost of operating them as well as, like, the implication to security, are now becoming part of the spotlight. Clorox is just the recent example, but there's plenty of other people where the help desk has been exploited. And it's ultimately a problem of verifying who you're talking to and making sure that these channels that you've established are good. Actually ran into something this last weekend in my personal life that actually, you know, challenged this channel's conversation, which was, you know, we were sitting here at home. You know, kids are going to have all their activities. And so my wife and I had a few minutes to sit down and just kind of relax before they all woke up and we all went crazy. And she sent me a post from a friend, the somebody that we know runs a small business, like we engage with on a very regular basis. And it was a post saying, hey, my uncle is going into hospice care. He needs to sell some of this farm equipment. And it happened to be stuff that we were in the used market for. So it perfectly lined up with these things that we were kind of excited about. And it was a known channel that we have communicated with this person over in the past. And we start going through this process, and all of a sudden I'm getting a weird request for an Apple pay payment. That is what set off the alarm bells, that maybe this channel that I've already established with somebody that I was already trusting has been compromised. Well, you know, it turned out it was fraud. It turned out that the person's account had been completely taken over. And it also turned out that this was a teaching moment for my kids because it was my daughter's horse riding instructor. And so she was very vested, like, what had happened to her, how, what's gone on? And so, you know, she read the messages and I had said something along the lines of, you know, are you being held against your will to the people? Because I was morbidly curious if this was part of the human trafficking issues and pig butchering stuff that we're seeing going on, you know.