Patrick Gray (3:57)

Yeah. Because I mean previously you would have to, you know, the user would kind of have to do that themselves or an administrator would have to do that for them. Right. Like it wouldn't just be, you know, I would think it would be unusual for that to be just ready to go. Right. For places that are using Yubikeys right now.

Jared Chong (4:13)

Yeah. And then you ask you just HR to work with it to figure out when the person is going to come to the office or do some remote handshake and tell the person this is your username id or send an SMS with a temporary code. You can imagine other not great onboarding processes. So we really took a hard look at what is the pain point for adoption at scale. And I don't think it's just for hardware authenticator. I think software, software apps too. Right. I mean we've heard from customers like we've got three different software with three different types of authenticator. We've got a Microsoft authenticator, we've got this Google Authenticator and then sometimes we have this other social media account authenticator. Like it's really bad, honestly. Right. So we need to take all these provisioning things that people don't talk about in industry as much now. I think a lot of people are talking about it to just say when I want to start my journey, it just works, right. I don't want it to prevent me from a productive workforce or for their productive user.

Patrick Gray (5:11)

So walk us through the process then. Right. Because it's one thing to say, oh, okay, the Yubico, you know, so the Yubikey is just magically there when someone starts and it's ready to go, it's pre enrolled everything they can just, you know, touch the little button and bang, off it goes. But what's the process for that? Having gotten there?

Jared Chong (5:30)

Yeah. So we've introduced a suite of products called the Enrollment suite. And so when you become a customer of Yubuckle, besides getting Yubikeys, you actually sign up for the service. It's called the UB Enroll suite, which is part of the Yubikey as a service offering. And also you have to be a customer of the IDP that you are using. Right. Either software or Microsoft. And so when you have these two components, essentially you as the administrator set up this workflow. You tell, you tell Yubico this is I want to use Okta as my idp. I have the, you know what we call it a service workflow. When I onboard a user, these are the API connections that I need to make and these are the users that I want to enable. These are a process where the HR system or the service system can provide the addresses. There are various API calls and we take care of, really think of it pre enrolling a credential for Microsoft or Okta on behalf of the user for the company. And then we ship these keys that are pre registered for again the customer with the IDP credentials to the user. And so all we have a system in place, a service system in place to connect to. Could be for example a ServiceNow workflow plus the Okta engine at the back. And the IT individuals just says every time you have a new employee, kick off this workflow, send out a Yubikey to this individual and your own business.

Patrick Gray (7:08)

Okay, so who's doing the sending of the, of the key? That's you. So there's some sort of API call and what does that go to their home address. Do they need to have done this provisioning in advance of the staff member starting so that they have the key or is there like as part of this workflow they can get in without it until it turns up? Or like how does that, that part of it work?

Jared Chong (7:28)

So we do, it's part of the Yubikey as a service. We also do the delivery. I mean some companies want to do it themselves in person, it's totally fine. But quite a number of customers would say Yubico, here is the, you know, the HR onboarding and here's a set of users or even could be existing users as well go make the shipments. Right. So there's, there are various APIs, calls that we communicate with the system of record for the company and we take the addresses, we slap a label on top of the package, pre registered Yubikey and off it goes to in most cases in a remote location or a home address.

Patrick Gray (8:06)

Yeah.

Jared Chong (8:07)

Right.

Patrick Gray (8:07)

So what happens though if the key hasn't arrived by the time the user is starting their job? Right. I'm guessing there's a process there.

Jared Chong (8:16)

Different companies have different processes for how they would recover or give a temporary access, I would say for the users now. An interesting stat itself. Right. So Okta actually rolled this out for Okta employees themselves and they deployed 6,000 Yubikeys all over the. Actually it was 42 countries in under four months.

Patrick Gray (8:40)

Yeah.

Jared Chong (8:40)

And they have 100% coverage. And you would say, well they've got this Okta app. Which is true. They do have the Okta app. So what they actually do is that it complements one the Okta app and the Yubikeys work hand in hand. So you can start off with the Okta app and then have the Yubikey or you have the Yubikey and then you bootstrap the Okta app. So it's really seamless from the perspective of like you should minimize any calls to the help desk. And the user can self serve because they have the hardware authenticator and the software app and they compliment each other. Then they shouldn't be calling each other when something or calling helpless and something goes wrong. So I think the industry needs to think beyond trying to say it's an authentic hardware authenticator versus software authenticate. I think if you look at a passwordless wall, then the only thing that really ties you is some hardware. It could be the hardware, the phone itself or it could be hardware, the Yubikey. Right. Because there's no nobody to call to reset anything. Which means that anytime you call it's like I got a new phone, I gotta do something about it. I've got or I need my Yubikey, I need to do something about it. So in both scenarios it's a physical event and the more industry think about a physical event rather than some software magic, then I think we can close some of the gaps that we've seen. Because the attackers, honestly, if you said everybody got Fido authentication with a Yubikey and all the attackers to do is say, I've lost my phone or lost my Yubikey, please call helpdesk and the only way you or the way that you get back into your account is send me an SMS code, then why even start the journey? And maybe we talked about this before, so.

Patrick Gray (10:13)

Yeah, we did. And it's interesting you already mentioned, you already kind of alluded to this when you talked about those API calls that determine the address that a Yubikey is going to be sent to. I mean, that is a query of the HR system, right? So unless an attack has already managed to go into a HR system and change an address or do some social engineering around that, plus having the existing credentials and onwards and onwards and onwards, like it is a much more sort of robust procedure when you're using those HR systems as like, I think you've described it as a source of truth for that address data. But I guess, look, just going back to my question, which was like, well, you know, what do you do when the key is not there yet? I guess what you're saying is just make sure the key gets there in time.

Jared Chong (10:55)

Absolutely.

Patrick Gray (10:56)

Yeah, yeah, that makes sense. And I guess there would be other procedures, right. If it's not there in time, that would be the exception to the rule. And then an admin could pull one out of a drawer and then do a separate provisioning or something like that, right?

Jared Chong (11:08)

Yes. And so that's why when we introduced Enormous Suite, we've also added a client piece as well. Because we know some customers says we can't wait for the keys, but can I provision it locally? Right. Think of it. If you are in one of these countries that we are not, we don't have the warehousing and it takes some time to get there, especially in Asia. Then some of the customer says, you know, we have a local it, you know, shop that we trust. Can we just provision it at that location, like a call center, for example? And we say absolutely. And so part of this enrollment suite, you have the capabilities for customers to take an application and then do the enrollment on behalf of the user for, you know, Okta or Microsoft in house, so to speak, then it solves that you know, I need a key right away and I got a bunch of yubikeys on the draw here. Well, let me just set it up for you right now and you can go.

Patrick Gray (12:03)

Yeah, I mean, I guess the main point of all of this, the main benefit is that you're not relying on the users to self enroll anymore, correct?

Jared Chong (12:12)

Yeah.

Patrick Gray (12:12)

Yes. I mean, how much of a sticking point has that been to sort of universal coverage at large organizations? I imagine there's always going to be a few hundred out of a few thousand who just can't get there.

Jared Chong (12:23)

Yes. And you know, that's what we need to focus on, which is where possible you should make it as let's solve for the 80% that you can actually get keys there, provision them and you know they have a very, very superior experience to use the service. When you start, they're always going to be counter cases. There's just no way physically, whether it's places that you can't get phones because the phones just don't work because it's a weird OS and patch and all these problems or the up keys just can't clear customs or whatever, there's always going to be corner cases and then you have to probably default to some amount of not so great authentication. But the good news is that if you solve for the majority, then your risk engine can actually do the job better. Right. Think about it. If everyone has weak signals, then you have to pay attention to all these weak signals all the time. If you said a category of problems is Ltd. With 80% of your users, then you can actually streamline your detection engine and all these other things that people care about on the 20% or even less. And over time it'll be a very tiny slice of it. So I don't think we should focus on like let's be perfect. I think we shouldn't perfect be the enemy of good to try to solve what most companies want, which is let's take care of the majority of my users, the most prized ones especially, then move to exception processing.

Patrick Gray (13:46)

Yeah, I mean proofpoint talk about that as well. Right. Which is in the case of, you know, you've got these two sets which are people who get attacked a lot and people who tend to exhibit risky behaviors like clicking on every single link that arrives by email, executing every single attachment and once you've got like an overlap over those very attacked people and the people who exhibit risky behaviors, you know, you know where to apply your extra controls and your extra monitoring and I guess you're saying the same Thing which is the people who don't have that coverage, you know, you might want to look at maybe different permissions or different access models for those people just to, just to cover off that risk a little.

Jared Chong (14:24)

Exactly. And we also talk about different policies. Right. So because it's not technology solves part of it, but also policy. Right. If the people who doesn't have a Yubikey lost Yubikey, Yubikey is not there or the phone app that doesn't have that and you have to depend on an sms, then maybe they are restricted to only do certain actions. Right. And they, maybe it's a short lived session as well. And so you, you kind of ratchet that up. And I think it's one of the things we've heard from a customer is like you can't change everything at the same time, but you can make it a little bit painful. And so over time you make it even more painful. And so then people like don't lose things, Right? So of course people are always going to lose things. But if you make it both a care and stick and over time you say, you know what, these are really risky behaviors and you seem to constantly lost the authenticator, like we're going to let your manager's manager know what's going on here. And it's like something that got to change. The human behavior has to change. So I do think there's a human element to all of this. And I think sometimes we forget that people are going to gravitate to what they're comfortable for many, many years. And so when we introduce technology, we should reduce obviously the friction to adopt the technology, but also understand that change management can take a while. So you know, let's try not to solve every single thing at the same time when you kind of launch your journey to go with a new technology.

Patrick Gray (15:45)

All right, well anyone who's interested in that can go Google Yubico enrollment suite and get all of the details on that. But Jared, now we're going to talk about your recent trip to Singapore. So you went over as part of a delegation and met with a whole bunch of people who are talking about, you know, big infrastructure projects. And you found that the lack of focus on cybersecurity was a little bit concerning and also that governments are in a bit of a bind, as I said at the intro, because if they start putting onerous cyber security requirements on a lot of these projects, they don't get funded. But look, let's just start with your reflections on this trip and then, and then we'll get into it.

Jared Chong (16:25)

Yes, it's definitely an interesting visit for me. It was the first stick visit by the Majesty the King of Sweden and I was part of a Swedish business delegation to Singapore. I'm Singaporean, I work in the US and I work for a Swedish company. So I represent a very interesting combination of.

Patrick Gray (16:47)

Yes, you are a Singaporean visiting from America with the King of Sweden.

Jared Chong (16:52)

Yes, exactly. And I think, you know, we are all global citizens and in order for, for any company to say you want to make an impact globally, you have to represent that V from all sides. What this business trip was about was to build some good relationships for Swedish businesses and Singapore. I mean, Singapore actually, interestingly enough, has a long standing relationship with several very big Swedish organizations or companies over the many years that Singapore has gone independent. For example, they've been working with Axion for a while, they've been working with Saab and various projects that involves transportation infrastructure and so on and so forth. So I was part of this delegation. My eyes were open to sort of how these two nations have been collaborating and cooperating over the many years. But. But the agenda for the visit was quite specific. It was about creating a world where there's sustainable energy, which is I think all important. And as well as the ability to think about how nations can scale with some of the latest technology and innovation. Obviously the AI is always going to be there in any business topic, but in terms of specific areas like healthcare for example, or transportation. So trying to modernize different parts of infrastructure to scale for what we need as a society for future things. And it always came back to an interesting conversation about critical infrastructure. Because if you think about energy, if you want to support billions and trillions of all these machines that actually have to process things for the AI engines, it's a lot of energy. And then you ask your question, how are you going to get these energies to the right place in time if you don't want to depend on the fossil fuels? So then you have a lot of talk about storage and energy grids and who can manage it is a decentralized model. And all these interesting conversations, which is really refreshing in some ways. Sweden, as we know, is very forward in terms of sustainability. But it was interesting because when we talk about all these gigantic critical infrastructure projects, the word cybersecurity start to float to the top, which is like, if we don't protect critical infrastructure, then everything collapses really quickly. And I was pleasantly surprised to hear that cybersecurity is part of the mix as well. Besides Just building big infrastructure roads and all these energy grids. But I don't think that there is enough cybersecurity representation in some of these national infrastructure projects. It's always a side conversation in my ear and it's quite evident because I think I was one of there were like 50 businesses and there were only two cybersecurity companies. So I feel like as an industry, and you talk to all the cybersecurity folks everywhere in the world, we're underrepresented in some of these large scale infrastructure projects. And if we're underrepresented in these large scale infrastructure projects, then you will bet that cyber security is a patchwork when they start to roll it out. And that's what I've observed, which is eye opening. A bit humbling as well, because people want to talk about cyber security but no one is there to represent what to solve. It's just the bad guys are going to attack us. We got to defend them. Like, okay, what do you mean? Can you be more specific?

Patrick Gray (20:36)

Yeah. What percentage of this infrastructure spend should go into cybersecurity and what sort of controls are we most worried about? Like, they don't do that.

Jared Chong (20:43)

They, they don't do that, right?

Patrick Gray (20:44)

No, I think though that it is changing. Right. I think funnily enough, some of China's more recent campaigns, like Vault Typhoon in the Asia Pacific have really made politicians start thinking about these risks. Did you feel like there was a bit of a disconnect between the people who want to build the infrastructure, like the private interests who want to build the infrastructure, and maybe some of the politicians who might oversee some of these projects from the, from the political dimension, was there, was there any disconnect between the way those two cohorts sort of thought about this stuff?

Jared Chong (21:17)

A little bit. Right. So give one example. So they talk a little bit about, you know, you need to invest in new green tech to solve the sustainability problem. And the first question was that, who's going to fund this? Who's going to fund this project? And they brought three major areas, right? You have the government, of course they can do something, they can invest. Then they brought up private sector and in some ways private sector are the banks, where the banks actually lend money. And the third one are the VC community. And it seems like there isn't consensus to go back. It's like we need to show evidence that this tech is going to work first. But that's, that's a conundrum, right? Like how can you enable startups if the funding is low? Until it works. If it works, it works. I don't need your money anymore because it's, I've been proven. So there's, there's this subtle conversation which is like governments are only going to fund so much and the banks are making really, really hard to get loans and the VCs are not really interested because they only care about major, you know, startups that proven a while. And I think that this culture of nobody wants to go all in, you've got to write policy that forces people to think differently. But then it is a constant challenge. When you write policy, the industry says, well, and then nobody's going to fund that if you make such a high bar. So there is a bit of that going on, not just in Singapore, it's everywhere.

Patrick Gray (22:41)

I think also anyone listening to this who's interested in some of the energy stuff happening in that region have a Google of Sun Cable, which is a plan to build a massive solar farm in the Australian desert and then cable the electricity to Singapore. And one of the Atlassian founders is behind that. And you know, depending on who you talk to, it's either genius or completely insane, but at least it's interesting. So just on that topic of, you know, critical infrastructure, has that been a growth, a particular growth area for Yubico or is it one of those sectors that's trailing in an alarming way, like which way is the ball bouncing on critical infrastructure? And Fido Oauth it's unfortunate that most.

Jared Chong (23:26)

Of our big infrastructure projects happen because something happened. We love to get ahead of it. And I mean the reality is all these organizations, energy companies, folks that do create the software, create the systems and all these things, they understand the risk and the risk is really high. They are fighting in resources and a whole bunch of other things, but they only really act when we have an incident. Remember Colonial Pipeline? So only when such a catastrophic thing happens, then the government steps in and starts to create policy and almost mandate everybody moves on and solves that. We see again back to the first point. We don't see that at the beginning of the journey, which is like if you're going to build a new infrastructure that is really critical for the growth of the nation, you need to have representation of cybersecurity folks at the beginning. And identity is part of the conversation in terms of making sure that infrastructure cannot be hijacked by anyone. So it's coming it some of the projects that we've kind of massive. But it's really unfortunate because it took an incident before people decided that that's what they want to focus on.

Patrick Gray (24:42)

So I guess what you're saying is the critical infrastructure is lagging here, you know, because when I think of people who I know who have yubikeys, there's a lot of people who work in technology, maybe some people who work for higher security environments like banks and whatever, where they're really motivated to keep attackers out of their environment. Infrastructure operations seems all about margins. Right. Like all about doing it as cheaply as possible. Right, because you're talking about, you know, often basic services like energy, water, whatever, but it's at massive scale and so they're just not going there.

Jared Chong (25:13)

Yeah, it's just like the OT environment. It's the same. Right. They just, they do what's necessary to get by tomorrow. And if you need to think more than a few years out, it's like, I'm going to try to improve my infrastructure to deliver the energy faster first, rather than I need to improve my infrastructure to defend against cyber attacks. Which is to your point. I mean, they are lagging for quite obvious reasons because of the way that they operate as a business.

Patrick Gray (25:42)

Well, I guess the point you're making too is that governments can only do so much because if you start putting owner cybersecurity requirements onto a lot of these projects, they won't get funded.

Jared Chong (25:50)

Correct. And that's the head on collision with the two entities trying to do better and then regulators saying that you got to do all these things to be compliant and grow the business. But then this is, well, who's going to actually fund all these projects?

Patrick Gray (26:09)

Now look, Jared, a common theme that we often talk about is the transformation to passwordless authentication. Part of me worries that this is a little bit like talking about the year of Linux on the desktop, which is it's something that's always just that little bit out of reach in the future. But how's all of that tracking? You know, we've seen in some sectors, like hospitals for example, are big on passwordless because it's just a lot easier for the staff who are constantly having to move around between different terminals, imaging devices, whatever. They can just passwordless off retail as well. People going onto registers and things like that enterprise, I haven't heard all that much like where's it lagging, where is it booming? Walk us through the state of passwordless in December 2024.

Jared Chong (26:57)

From an overall perspective, we're making progress as an industry. Some would say we're making pretty reasonable progress in general. And some of us will say, well, it's going as usual, takes time approach from an enterprise perspective. I think there's an awareness, I would say for most organizations that have heard about strong authentication that there's a desire to go passwords. And so if you are on the Microsoft track, for example, if that's what you're using as your idp, I think you've heard enough reasons why you want to go there. And enterprises however, are not just Microsoft. And I'll give you a little color on this one, which is there are a lot of organizations depending on Microsoft idp, but there's a lot of organizations that still create their own homegrown things and those organizations mostly are in the high assurance scenarios like financial sectors. While they may have pockets of population using Microsoft idp, a lot of it is what they want to control. They want to depend on any cloud banner to protect or execute on their vision of what is necessary for the end users, for example. And so if you look at financial institutions, there's still a general reluctance to just go passwordless. And I say this because if you were to log in the bank for the last two or three decades, that's what you've been doing for a long time, right? And so instead of the addition in there is like you log in with an OTP code, right? You like username, password and some OTP thing, SMS or app or whatever it is and or some push app thing to move that whole experience. Now it's one thing to say I moved everyone in Gmail to a passwordless law because it works out of the box with Android, which is great. But there's another thing that says that now every banking customer says that I want that too. And there's a complete human reaction in your gap. You don't do that anymore. And they say, well why not? Why can't I log in my password? I've been doing this for so many years now and it's almost built ingrained when you first remember logging into your bank account when you were younger. And so I think the change can only happen with a generational change. Change of how we log into services.

Patrick Gray (29:27)

Yeah. Radio. Well, Jared Chong, we're going to wrap it up there. It was great to see you as always for our annual catch up with Yubico to find out what the state of things is. A pleasure to chat to you and we'll do it again next year.

Jared Chong (29:40)

Thank you very much, Patrick.