Article posted: Nov 15, 2016
Q&A with Jerrod Chong, Yubico Vice President of Solutions
Here at Versasec, we're building strong partnerships with the security industry's leading companies, including Yubico. Recently, we sat down with Jerrod Chong, Yubico's Vice President of Solutions, and asked him a series of questions. Here's Mr. Chong's perspective on two-factor authentication, YubiKeys versus traditional smart cards, IAM and more.
1. Where does Yubico see the strongest growth in two-factor authentication over the next two years? Please discuss in terms of regions, verticals and size of customer organizations.
We see strong growth in industries that are regulated. There has been a steady increase in interest from government, healthcare and financials. It is not a regional issue, but more a global need. In regulated enterprise environments, security upgrades happen on prescribed and calculated cycles. Deployments across these increasingly complex environments take time that is calculated based on the size of the organization and the level of integration needed. In Nov. (2016) the UK government announced a national cybersecurity mandate to invest in two-factor authentication. That followed a July announcement by NIST that it would favor strong second-factor authentication over technologies like SMS going forward. So interest is high, needs are high, and that should fuel growth.
2. What's the main reason that more and more organizations are choosing YubiKeys instead of traditional smart cards?
Usability, durability, and open standards are the main reasons. IT organizations don't have to provision card readers and end users don't have to carry them around. On most operating systems, there aren't any extra drivers to install. And furthermore on usability, the YubiKey is more than just a smart card. Many organizations also use the OTP as well as the FIDO standard protocols on the same key used for smart card operations. So organizations get to choose from a number of authentication options based on use cases, and end-users need only carry a single device that works across all those options and use cases.
3. Ideally, how would you like to see the user presence part of multi-factor authentication handled? Can we replace the PIN codes with something as secure and yet cost efficient?
At several organizations, they have used the touch of the YubiKey in addition, and as a replacement for, PIN codes. The decision depends on use cases and each customer's specific risk profile. Yubico recommends using the option that matches an organization's appropriate risk requirements.
4. What do you believe is the biggest selling point of an IAM system built of vSEC:CMS and YubiKey? - Does ease of use and high level of security play a big role?
Yubico has always been an advocate of companies leveraging their existing investments, both on the server and YubiKey side. Native support in vSEC:CMS allows organizations to more easily provision and manage the lifecycle of the YubiKey smart card capabilities. We encourage our customers to review this new option.
5. Why have you decided to invest in developing your own PIV interface for YubiKeys?
Yubico believes that for security solutions to scale, the need for a standardized approach is necessary. We have invested heavily to implement open standards and the Personal Identity Verification (PIV) interface specified in NIST SP 800-73 is one of the key protocols we have included. We believe that using the PIV standard is a well-established and robust ecosystem that reaches beyond the government.
6. And how do you see the PIV Market evolving?
We believe that given recent technologies and innovations, the smart card market is evolving to demand a high-level of security without sacrificing usability. This is in line with the philosophy that guided the development of the YubiKey, and we think that philosophy is taking hold across all vertical markets. We also believe that those market will start to embrace the YubiKey's ability to authenticate with PIV communicating over NFC, which adds a contactless experience.